On Mon, 13 Dec 2021 at 19:51, Valters Jansons <[email protected]> wrote: > > Is this thread really "on-topic" for HAProxy? > > Attempts to mitigate Log4Shell at HAProxy level to me feel similar > to.. looking at a leaking roof of a house and thinking "I should put > an umbrella above it, so the leak isn't hit by rain". Generally, it > might work, but it's not something that you can expect to hold up in > the long run, and it's not something construction folks would advise.
This is about reducing the attack surface temporarily. I would rather avoid thousands of euros of water damage in my house or millions of dollars of damage at my employer, just because a contractor can't immediately provide a long term fix. A temporary and incomplete mitigation is better than nothing at all, that doesn't mean it's an alternative to properly fixing the issue. > So just patch/update your vulnerable applications; and where vendors > provide mitigation steps - apply those instead. That is often easier said than done; especially when there is no time. Lukas
