Ensure Front Door WAF prevents message lookup in Log4j2
Error: Front Door WAF allows message lookup in Log4j2
Bridgecrew Policy ID: BC_AZR_NETWORKING_46
Checkov Check ID: CKV_AZURE_133
Severity: MEDIUM
Front Door WAF allows message lookup in Log4j2
Description
Using a vulnerable version of Apache Log4j library might enable attackers to exploit a Lookup mechanism that supports making requests using special syntax in a format string which can potentially lead to a risky code execution, data leakage and more.
Set your Front Door Web Application Firewall (WAF) to prevent executing such mechanism using the rule definition below.
Azure WAF has updated Default Rule Set (DRS) versions 1.0 and 1.1 with rule 944240 “Remote Command Execution” under Managed Rules to help in detecting and mitigating this vulnerability. This rule is already enabled by default in block mode for all existing WAF Default Rule Set configurations.
Learn more around CVE-2021-44228
Fix - Buildtime
Terraform
- Resource: azurerm_frontdoor_firewall_policy
resource "azurerm_frontdoor_firewall_policy" "example" {
name = "example"
resource_group_name = "example"
managed_rule {
type = "Microsoft_DefaultRuleSet"
version = "1.1"
override {
rule_group_name = "JAVA"
rule {
action = "Block"
enabled = true
rule_id = "944240"
}
}
}
}
Updated 3 months ago