On Mon, 13 Dec 2021 at 12:51, Olivier D <webmas...@ajeux.com> wrote:
> If you don't know yet, a CVE was published on friday about library log4j,
> allowing a remote code execution with a crafted HTTP request.
[snip]
> We would like to filter these requests on HAProxy to lower the exposition. At
> peak times, 20% of our web traffic is scanners about this bug !
[snip]
> http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or
> hdr_sub(user-agent) -i "\$\{jndi:" }
> What do you think ?
I don't have an explicit example, but my understanding is that log4j's
"${foo}" strings, which need to result in "${jndi:ldap://<something>}"
to trigger the exploit, are recursively expanded.
Thus (again, having neither an example nor any expertise with log4j)
the space of things you'd need to filter out becomes rather large. I
believe there are string casing operators available, leading to
options like (but probably not precisely!)
"${j{$lower:N}di:ldap://...";.
Whilst I'm sure you could reduce your malicious traffic volumes with a
static rule, as you mention, I'm not sure it's a good idea to give
anyone the impression that this can be anything more than a /very/
incomplete sticking plaster over the issue!
All the best,
Jon
--
Jonathan Matthews
https://jpluscplusm.com
