Re: Blocking log4j CVE with HAProxy

2021-12-14 Thread Aleksandar Lazic
Hi. On 14.12.21 10:18, Olivier D wrote: Hi, Le lun. 13 déc. 2021 à 19:38, John Lauro mailto:johnala...@gmail.com>> a écrit : http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) -i "\$\{jndi:" } was not catching the bad traffic.  I think the escapes

Re: Blocking log4j CVE with HAProxy

2021-12-14 Thread Olivier D
Hi, Le lun. 13 déc. 2021 à 19:38, John Lauro a écrit : > http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or > hdr_sub(user-agent) -i "\$\{jndi:" } > was not catching the bad traffic. I think the escapes were causing issues > in the matching. > > The following did work: >

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Igor Cicimov
ysg> From: Nicolas CARPi Sent: Tuesday, 14 December 2021, 10:27 To: Jonathan Matthews Cc: Olivier D; HAProxy Subject: Re: Blocking log4j CVE with HAProxy On 13 Dec, Jonathan Matthews wrote: > I believe there are string casing operators available, leading to > options like &

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Nicolas CARPi
On 13 Dec, Jonathan Matthews wrote: > I believe there are string casing operators available, leading to > options like "${j{$lower:N}di:ldap://...;. Indeed. Maybe this can help, it's the "Bypass WAF" part of the POC[0]:

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Lukas Tribus
On Mon, 13 Dec 2021 at 19:51, Valters Jansons wrote: > > Is this thread really "on-topic" for HAProxy? > > Attempts to mitigate Log4Shell at HAProxy level to me feel similar > to.. looking at a leaking roof of a house and thinking "I should put > an umbrella above it, so the leak isn't hit by

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Tim Düsterhus
Valters, On 12/13/21 7:51 PM, Valters Jansons wrote: Is this thread really "on-topic" for HAProxy? "I want to block specific pattern in a header" certainly is on-topic for the HAProxy list. Attempts to mitigate Log4Shell at HAProxy level to me feel similar to.. looking at a leaking roof

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Valters Jansons
Is this thread really "on-topic" for HAProxy? Attempts to mitigate Log4Shell at HAProxy level to me feel similar to.. looking at a leaking roof of a house and thinking "I should put an umbrella above it, so the leak isn't hit by rain". Generally, it might work, but it's not something that you can

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread John Lauro
http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) -i "\$\{jndi:" } was not catching the bad traffic. I think the escapes were causing issues in the matching. The following did work: http-request deny deny_status 405 if { url_sub -i -f

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Jonathan Matthews
On Mon, 13 Dec 2021 at 12:51, Olivier D wrote: > If you don't know yet, a CVE was published on friday about library log4j, > allowing a remote code execution with a crafted HTTP request. [snip] > We would like to filter these requests on HAProxy to lower the exposition. At > peak times, 20% of

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Aleksandar Lazic
On 13.12.21 14:53, Lukas Tribus wrote: On Mon, 13 Dec 2021 at 14:43, Aleksandar Lazic wrote: Well I go the other way around. The application must know what data are allowed, verify the input and if the input is not valid discard it.´ You clearly did not understand my point so let me try

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Lukas Tribus
On Mon, 13 Dec 2021 at 14:43, Aleksandar Lazic wrote: > Well I go the other way around. > > The application must know what data are allowed, verify the input and if the > input is not valid discard it.´ You clearly did not understand my point so let me try to phrase it differently: The log4j

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Aleksandar Lazic
On 13.12.21 14:03, Lukas Tribus wrote: On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic wrote: 1. Why is a input from out site of the application passed unchecked to the logging library! Because you can't predict the future. When you know that your backend is SQL, you escape what's necessary

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Lukas Tribus
On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic wrote: > 1. Why is a input from out site of the application passed unchecked to the > logging library! Because you can't predict the future. When you know that your backend is SQL, you escape what's necessary to avoid SQL injection (or use

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Aleksandar Lazic
On 13.12.21 11:48, Olivier D wrote: Hello there, If you don't know yet, a CVE was published on friday about library log4j, allowing a remote code execution with a crafted HTTP request. We would like to filter these requests on HAProxy to lower the exposition. At peak times, 20% of our web

Blocking log4j CVE with HAProxy

2021-12-13 Thread Olivier D
Hello there, If you don't know yet, a CVE was published on friday about library log4j, allowing a remote code execution with a crafted HTTP request. We would like to filter these requests on HAProxy to lower the exposition. At peak times, 20% of our web traffic is scanners about this bug ! The