Block Log4j with use of IOCs
Problem this snippet solves: iRule that helps to mitigate the Log4j vulnerability with use of public available IOCs. Currently the following IOCs can be used: cert-agid.gov.it (Contains scan IP's): https://cert-agid.gov.it/download/log4shell-iocs.txt NLD Police: https://thanksforallthefish.nl/log4j_blocklist.txt These IOCs combined will result in about 25191 IP addresses being blocked. The plan is to add some more IOCs soon. Last update: 27 December 2021 How to use this snippet: This solution makes use of iRulesLX. So first of all you need to provision iRulesLX on your BIG-IP. Then proceed to add the LX Workspace, iRule and Extension. Create LX Workpace: log4j_ioc Add iRule: log4j_ioc_irule Add Extension: log4j_ioc_extension (index.js) Add LX Plugin: log4j_ioc_plugin (from Workspace log4j_ioc) Install the required NodeJS modules. Use SSH to login to your BIG-IP and install the https and lokijs modules. # cd /var/ilx/workspaces/Common/log4j_ioc/extensions/log4j_ioc_extension # nmp install https lokijs --save Tested this on version: 15.1Mitigating Log4j Vulnerability using F5 BIG-IP
This article throws some light on the Apache Log4j vulnerability (CVE-2021-44228) and how attackers can exploit this vulnerability by injecting malicious JNDI strings into input fields, HTTP headers, API requests, etc. Finally we also provided solution how we can protect it using F5 Advanced WAF.
