Ensure Cloud Armor prevents message lookup in Log4j2

Error: Cloud Armor allows message lookup in Log4j2

Bridgecrew Policy ID: BC_GCP_NETWORKING_14
Checkov Check ID: CKV_GCP_73
Severity: MEDIUM

Front Door WAF allows message lookup in Log4j2

Description

Using a vulnerable version of Apache Log4j library might enable attackers to exploit a Lookup mechanism that supports making requests using special syntax in a format string which can potentially lead to a risky code execution, data leakage and more.
Set your Cloud Armor to prevent executing such mechanism using the rule definition below.

Learn more around CVE-2021-44228

Fix - Buildtime

Terraform

  • Resource: google_compute_security_policy
resource "google_compute_security_policy" "example" {
  name = "example"

  rule {
    action   = "deny(403)"
    priority = 1
    match {
      expr {
        expression = "evaluatePreconfiguredExpr('cve-canary')"
      }
    }
  }
}