Imperva Cyber Community

communities_1.jpg
 View Only
Expand all | Collapse all

Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

  • 1.  Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-11-2021 07:26
    Hi,

    Is there a temporary virtual patch for "Apache Log4j2 CVE-2021-44228"?

    Regular signatures are easily bypassed, is there a better one?
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Yingfan Qiu
    sale engineer
    Shenzhen,China
    ------------------------------


  • 2.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-11-2021 13:39
    Hi,

    same question here from Germany! I see ADC Content is still Nov 29.

    Thanks

    Martin

    ------------------------------
    Martin Schmitz
    Owner
    Martin Schmitz IT Security Consulting
    Korschenbroich
    ------------------------------



  • 3.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability
    Best Answer

    Posted 12-11-2021 14:09

    Hi there,

    Please follow the steps in this blog. Note that I have included the steps as an image to allow for all actions to be included.

    Manual Mitigation for Zero Day Remote code injection in Log4j (imperva.com)

    I hope this helps.

    Thanks,

    Sarah



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 4.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-11-2021 15:29
    Hi,

    Is this working for anyone? I implemented the policy on 2 MXs but I see no alerts?

    Thx

    Martin

    ------------------------------
    Martin Schmitz
    Owner
    Martin Schmitz IT Security Consulting
    Korschenbroich
    ------------------------------



  • 5.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-11-2021 16:19
    Hi Martin, 

    If you are concerned, it may be best to raise a ticket with support while you wait for feedback here. They will be able to consider the specifics of your environment.

    Many thanks,

    Sarah

    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 6.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-11-2021 16:23
    Thanks Sarah,

    already done, waiting for feedback from support!

    I added
    ${jindi
    behind an URL and got no hit on the policy?!?

    Kind regards

    Martin


    ------------------------------
    Martin Schmitz
    Owner
    Martin Schmitz IT Security Consulting
    Korschenbroich
    ------------------------------



  • 7.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-12-2021 20:54
    Should be "jndi"....

    You can use the following code to verify the signature, in the URL or parameters




    ------------------------------
    Yingfan Qiu
    sale engineer
    Shenzhen,China
    ------------------------------



  • 8.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-12-2021 06:40
    Hi,

    Signature was updated two days ago

    The following signature codes have been found to bypass the regular signature codes.

    Since the attack signature cannot be sent directly, the screenshot shows that
    Are there any solutions for these bypassing methods?

    Thx


    ------------------------------
    Yingfan Qiu
    sale engineer
    Shenzhen,China
    ------------------------------



  • 9.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-12-2021 11:03

    @YingFan Qiu if you haven't already, please raise with support so that they can advise. If I have any further updates I will share here.

    Thank you.​​



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 10.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-13-2021 03:39
    Edited by YingFan Qiu 12-13-2021 03:40
    After several verifications, the 2.0 signature is very effective, previously invalid due to misconfiguration.
    Thank you very much

    ------------------------------
    Yingfan Qiu
    sale engineer
    Shenzhen,China
    ------------------------------



  • 11.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-13-2021 04:47
    That's great, @YingFan Qiu.

    @Martin Schmitz How is it going for you?​​

    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 12.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-13-2021 08:44

    Hi All 

    Just a note that this blog was updated on 13 December 2021 at 13.34 GMT

    UPDATE: Manual Mitigation for Zero Day Remote code injection in Log4j



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 13.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-14-2021 13:21
    This blog has been updated once again: December 14, 18.21 GMT

    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 14.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-14-2021 04:18
    In case you missed it, here is more info from the Office of the CTO:
    How We're Protecting Customers & Staying Ahead of CVE-2021-44228 (imperva.com)

    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 15.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-14-2021 10:51
    Hi,

    Imperva does it's job!

    At least we see lots of alerts. We'll have to see if there are ways to circumvent the regex used, most likely there are.

    Unfortunately I saw many WAFs configured incorrectly so I put a guide on my webpage on how to set this up, check here:

    https://www.martinschmitz.it/cve-2021-44228/

    Thanks
    Martin

    I will try to keep this up to date as new information is available!

    ------------------------------
    Martin Schmitz
    Owner
    Martin Schmitz IT Security Consulting
    Korschenbroich
    ------------------------------



  • 16.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-15-2021 03:28
    Thanks for sharing, Martin!

    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 17.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-15-2021 07:28
    Hi,

    Good thing Imperva updated their ADC Security Content.

    https://docs.imperva.com/howto/592d383d/

    ------------------------------
    Oliver Naabay
    Engineer
    Makati
    ------------------------------



  • 18.  RE: Problem : Virtual patch for the "Apache Log4j2 CVE-2021-44228" vulnerability

    Posted 12-16-2021 05:22
    Hi All,

    Just to let you know there is a new blog from Kunal Anand, CTO.

    Continuing to Stay Ahead of CVE-2021-44228: Addressing Your Top Questions (imperva.com)

    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------