This post will be updated over the next several days.
Recently, a Remote Code Execution vulnerability was discovered in the Apache Log4J library. This vulnerability, which is tracked in CVE-2021-44228, dubbed Log4Shell, allows attackers to execute arbitrary code on affected systems.
While HAProxy, HAProxy Enterprise, HAProxy ALOHA, and other products within the HAProxy Technologies portfolio are not impacted by this (they do not use the Log4J library at all), you can use them to block the attack.
These mitigation techniques we describe are subject to change as attackers come up with new evasion methods, new false positives are discovered, or better ways to handle this are found. When the rules change this blog post will be updated with a changelog added to the top. While these rules have been tested, it is possible that there are false positives or false negatives still remaining, so for sensitive environments we recommend testing these rules in your environment (such as replacing the http-request deny rules with an http-request capture rule to log violations rather than deny them outright). Use HAProxy or HAProxy Enterprise 1.8 or newer, or HAProxy ALOHA 10.5 or newer, to use the syntax we describe.
Regardless of these protections, if you are using Log4j in your environment you should update to 2.16.0 or newer from their download page.
If your applications log (or might log) information in the post body you might want to consider expanding the filtering of the post body. Some applications log user names or transaction id’s in the post body and should have req.body filtered, due to false positive risk with there being no json_parse decoder we don’t include it by default (nor does ModSecurity CRS), but it can be enabled easily if it fits your environment (and you can monitor/tolerate false positives). This can be done by adding more deny/acl lines like ‘log4shell_form’ to decode/scan specific content types if using ACL’s or by adding REQUEST_BODY to the match zones on the SecRule line if using ModSecurity.
To block the attack, add the following ACLs, which are an adaptation of the ModSecurity solution described later, to a
listen section within your load balancer configuration:
Alternatively, enable the ModSecurity WAF module:
Find the following line in the file /etc/hapee-2.4/modsec.rules.d/lb-modsecurity.conf:
Or find the following line in the file /app/security/etc/sec-offloader/modsecurity.load in HAProxy ALOHA :
Then add the following rules directly after:
These rules can be found on the Log4j blog post from coreruleset.org. If this is the first time you are enabling the ModSecurity WAF, we recommend running it in detection-only mode at first, to log malicious requests, but not immediately block them.
With HAProxy Enterprise, you can also block the attack by enabling the Advanced WAF:
Then update your ruleset files by updating to the latest hapee-2.4r1-lb-wafadvanced package (or using the corresponding package for your version of HAProxy Enterprise). Follow the documentation for how to set thresholds for blocking threats.
If this is the first time you are enabling the Advanced WAF, we recommend running it in learning mode at first, to log malicious requests, but not immediately block them.
To test if the mitigations you have configured are working correctly, try the following curl command:
If the blocking rules are working correctly, that request will be denied.
- 12/15 9:30 AM EST: Updated ModSecurity rule based on CRS guidance
- 12/15 9:30 AM EST: Fixed incorrect filename for HAProxy ALOHA
- 12/15 11:00 AM EST: Updated ACL example to use simplified rules
- 12/15 5:15 PM EST: Updated ModSecurity and ACL rules based on CRS guidance
- 12/17 3:41 PM EST: Added guidance on post body filtering
- 12/20 11:00 AM EST: Updated ModSecurity targets per CRS guidance