Ensure WAF prevents message lookup in Log4j2

Error: WAF allows message lookup in Log4j2

Bridgecrew Policy ID: BC_AWS_NETWORKING_66
Checkov Check ID: CKV_AWS_192
Severity: CRITICAL

WAF allows message lookup in Log4j2

Description

Using a vulnerable version of Apache Log4j library might enable attackers to exploit a Lookup mechanism that supports making requests using special syntax in a format string which can potentially lead to a risky code execution, data leakage and more.
Set your Web Application Firewall (WAF) to prevent executing such mechanism using the rule definition below.

Learn more around CVE-2021-44228

Fix - Buildtime

Terraform

  • Resource: aws_wafv2_web_acl
resource "aws_wafv2_web_acl" "pass" {
  ...

  rule {
    name     = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"
      }
    }

    ...
  }

  ...
}

CloudFormation

  • Resource: AWS::WAFv2::WebACL
Pass:
    Type: AWS::WAFv2::WebACL
    Properties:
      ...

      Rules:
        - Name: AWS-AWSManagedRulesKnownBadInputsRuleSet
          Priority: 1
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesKnownBadInputsRuleSet
          OverrideAction:
            None: {}
          ...

Did this page help you?