DevCentral Connects: Log4j CVE-2021-44228
Buu and John held court today in a special Monday episode of DevCentral Connects with F5 security experts MegaZone, David Warburton, and Joe Martin to discuss the log4j vulnerability. Resources AskF5 Solution on the Vulnerability (K19026212) F5 Labs: Explaining the Widespread log4j vulnerability Beyond patching and mitigations, maybe some architecture changes? (LinkedIn Thread) Talking to Leadership (Slide Deck from InfoSec Innovations)Block Log4j with use of IOCs
Problem this snippet solves: iRule that helps to mitigate the Log4j vulnerability with use of public available IOCs. Currently the following IOCs can be used: cert-agid.gov.it (Contains scan IP's): https://cert-agid.gov.it/download/log4shell-iocs.txt NLD Police: https://thanksforallthefish.nl/log4j_blocklist.txt These IOCs combined will result in about 25191 IP addresses being blocked. The plan is to add some more IOCs soon. Last update: 27 December 2021 How to use this snippet: This solution makes use of iRulesLX. So first of all you need to provision iRulesLX on your BIG-IP. Then proceed to add the LX Workspace, iRule and Extension. Create LX Workpace: log4j_ioc Add iRule: log4j_ioc_irule Add Extension: log4j_ioc_extension (index.js) Add LX Plugin: log4j_ioc_plugin (from Workspace log4j_ioc) Install the required NodeJS modules. Use SSH to login to your BIG-IP and install the https and lokijs modules. # cd /var/ilx/workspaces/Common/log4j_ioc/extensions/log4j_ioc_extension # nmp install https lokijs --save Tested this on version: 15.1
F5 Rules for AWS WAF - Web exploits OWASP Rules - Need Log4J update CVE-2021-44228
Hi, Can you confirm if the following product has been updated to provide protection from Log4J, CVE-2021-44228 ? https://aws.amazon.com/marketplace/pp/prodview-ah3rqi2hcqzsi F5 Rules for AWS WAF - Web exploits OWASP RulesMitigating Log4j Vulnerability using F5 BIG-IP
This article throws some light on the Apache Log4j vulnerability (CVE-2021-44228) and how attackers can exploit this vulnerability by injecting malicious JNDI strings into input fields, HTTP headers, API requests, etc. Finally we also provided solution how we can protect it using F5 Advanced WAF.
