Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Lukas Tribus
On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic wrote: > 1. Why is a input from out site of the application passed unchecked to the > logging library! Because you can't predict the future. When you know that your backend is SQL, you escape what's necessary to avoid SQL injection (or use

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Aleksandar Lazic
On 13.12.21 11:48, Olivier D wrote: Hello there, If you don't know yet, a CVE was published on friday about library log4j, allowing a remote code execution with a crafted HTTP request. We would like to filter these requests on HAProxy to lower the exposition. At peak times, 20% of our web

Blocking log4j CVE with HAProxy

2021-12-13 Thread Olivier D
Hello there, If you don't know yet, a CVE was published on friday about library log4j, allowing a remote code execution with a crafted HTTP request. We would like to filter these requests on HAProxy to lower the exposition. At peak times, 20% of our web traffic is scanners about this bug ! The

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Lukas Tribus
On Mon, 13 Dec 2021 at 14:43, Aleksandar Lazic wrote: > Well I go the other way around. > > The application must know what data are allowed, verify the input and if the > input is not valid discard it.´ You clearly did not understand my point so let me try to phrase it differently: The log4j

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Aleksandar Lazic
On 13.12.21 14:53, Lukas Tribus wrote: On Mon, 13 Dec 2021 at 14:43, Aleksandar Lazic wrote: Well I go the other way around. The application must know what data are allowed, verify the input and if the input is not valid discard it.´ You clearly did not understand my point so let me try

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Aleksandar Lazic
On 13.12.21 14:03, Lukas Tribus wrote: On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic wrote: 1. Why is a input from out site of the application passed unchecked to the logging library! Because you can't predict the future. When you know that your backend is SQL, you escape what's necessary

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Jonathan Matthews
On Mon, 13 Dec 2021 at 12:51, Olivier D wrote: > If you don't know yet, a CVE was published on friday about library log4j, > allowing a remote code execution with a crafted HTTP request. [snip] > We would like to filter these requests on HAProxy to lower the exposition. At > peak times, 20% of

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread John Lauro
http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) -i "\$\{jndi:" } was not catching the bad traffic. I think the escapes were causing issues in the matching. The following did work: http-request deny deny_status 405 if { url_sub -i -f

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Valters Jansons
Is this thread really "on-topic" for HAProxy? Attempts to mitigate Log4Shell at HAProxy level to me feel similar to.. looking at a leaking roof of a house and thinking "I should put an umbrella above it, so the leak isn't hit by rain". Generally, it might work, but it's not something that you can

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Tim Düsterhus
Valters, On 12/13/21 7:51 PM, Valters Jansons wrote: Is this thread really "on-topic" for HAProxy? "I want to block specific pattern in a header" certainly is on-topic for the HAProxy list. Attempts to mitigate Log4Shell at HAProxy level to me feel similar to.. looking at a leaking roof

Re: [EXTERNAL] Re: [PATCH] MEDIUM numa supports for FreeBSD

2021-12-13 Thread Willy TARREAU
On Tue, Dec 14, 2021 at 02:12:28AM +, David CARLIER wrote: > ping :) sorry for the delay David, we'll check today. Willy

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Igor Cicimov
You should also take into account path that can have base64 encoded payload. To me the best bet for protecting via haproxy is using spoa mod_security WAF given people have already come with a comprehensive protection rules. Get Outlook for Android

Re: [PATCH] MEDIUM numa supports for FreeBSD

2021-12-13 Thread David CARLIER
ping :) On Mon, 6 Dec 2021 at 11:07, David CARLIER wrote: > > Hi > > Here a little patch for proper NUMA topology detection on FreeBSD. > > Thanks. > > Regards.

Re: [PATCH] BUILD: unbreak the build with newer libressl

2021-12-13 Thread Илья Шипицин
gentle ping ср, 8 дек. 2021 г. в 06:37, Daniel Jakots : > Hi, > > Here's the file inline generated with `git format-patch -1`. Is it ok? > > I'm not subscribed to the mailing list, please keep me in Cc:. > > Thanks, > Daniel > > From bc44099cb32a95d3a8895a6232b5b0ce5c9cb5c0 Mon Sep 17 00:00:00

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Nicolas CARPi
On 13 Dec, Jonathan Matthews wrote: > I believe there are string casing operators available, leading to > options like "${j{$lower:N}di:ldap://...;. Indeed. Maybe this can help, it's the "Bypass WAF" part of the POC[0]:

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Lukas Tribus
On Mon, 13 Dec 2021 at 19:51, Valters Jansons wrote: > > Is this thread really "on-topic" for HAProxy? > > Attempts to mitigate Log4Shell at HAProxy level to me feel similar > to.. looking at a leaking roof of a house and thinking "I should put > an umbrella above it, so the leak isn't hit by