Ensure Application Gateway WAF prevents message lookup in Log4j2

Error: Application Gateway WAF allows message lookup in Log4j2

Bridgecrew Policy ID: BC_AZR_NETWORKING_47
Checkov Check ID: CKV_AZURE_135
Severity: MEDIUM

Application Gateway WAF allows message lookup in Log4j2

Description

Using a vulnerable version of Apache Log4j library might enable attackers to exploit a Lookup mechanism that supports making requests using special syntax in a format string which can potentially lead to a risky code execution, data leakage and more.
Set your Application Gateway (WAF) to prevent executing such mechanism using the rule definition below.

Learn more around CVE-2021-44228

Fix - Buildtime

Terraform

  • Resource: azurerm_frontdoor_firewall_policy
resource "azurerm_web_application_firewall_policy" "example" {
  location            = "germanywestcentral"
  name                = "example"
  resource_group_name = "example"

  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.1"
    }
  }

  policy_settings {}
}