modsecurity rule to filter CVE-2021-44228/LogJam/Log4Shell [update]

December 10, 2021

As a fast workaround, a friend of mine made a modsecurity rule to filter CVE-2021-44228/LogJam/Log4Shell, which he allowed me to share with you.

SecRule \
  ARGS|REQUEST_HEADERS|REQUEST_URI|REQUEST_BODY|REQUEST_COOKIES|REQUEST_LINE|QUERY_STRING "jndi:ldap:" \
  "phase:1, \
  id:751001, \
  t:none, \
  deny, \
  status:403, \
  log, \
  auditlog, \
  msg:'Block: CVE-2021-44228 - deny pattern \"jndi:ldap:\"', \
  severity:'5', \
  rev:1, \
  tag:'no_ar'"

New improved version:

  
SecRule \
  ARGS|REQUEST_HEADERS|REQUEST_URI|REQUEST_BODY|REQUEST_COOKIES|REQUEST_LINE|QUERY_STRING "jndi:ldap:|jndi:dns:|jndi:rmi:|jndi:rni:|\${jndi:" \
  "phase:1, \
  id:751001, \
  t:none, \
  deny, \
  status:403, \
  log, \
  auditlog, \
  msg:'DVT: CVE-2021-44228 - phase 1 - deny known \"jndi:\" pattern', \
  severity:'5', \
  rev:1, \
  tag:'no_ar'"
  
SecRule \
  ARGS|REQUEST_HEADERS|REQUEST_URI|REQUEST_BODY|REQUEST_COOKIES|REQUEST_LINE|QUERY_STRING "jndi:ldap:|jndi:dns:|jndi:rmi:|jndi:rni:|\${jndi:" \
  "phase:2, \
  id:751002, \
  t:none, \
  deny, \
  status:403, \
  log, \
  auditlog, \
  msg:'DVT: CVE-2021-44228 - phase 2 - deny known \"jndi:\" pattern', \
  severity:'5', \
  rev:1, \
  tag:'no_ar'

5 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Why phase 1 rule? Won’t the vuln trigger if the attacker send the pattern in POST request body?

    Comment by Ali — December 11, 2021 #

  2. We need phase 1 so it runs before the shibboleth plugin (which could be vulnerable) for SAML. But you’re correct, we require more rules if the attackers adapt – thx for the hint.

    Comment by robert — December 11, 2021 #

  3. Should also include jndi:dns and jndi:rmi?

    Comment by R — December 11, 2021 #

  4. AFAICT, this will not stop things like the ones mentioned here: https://twitter.com/Rezn0k/status/1469523006015750146

    Comment by Jakob — December 13, 2021 #

  5. Sure, nothing is stopping that. These rules were only there to protect you the first 1-2 days before you identified all your vulnerable systems and patched them or applied the workaround to give you more time. By now, Monday, you should have done the work for all internet facing systems – there is a reason most of us worked in the weekend. 🙂

    ps: The official WAF rule for this by Citrix for the ADC has the same problem – and so will most other WAFs.

    Comment by robert — December 13, 2021 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 52 queries. 0.050 seconds.