Skip to content

Protect against log4j attacks using Coraza WAF

I’m not going to write a huge post on how to protect against log4j using Coraza but I will show you how the OWASP Core Ruleset rule from https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/ compiled in Coraza, protects you against log4j.

SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML://*|XML://@* "@rx (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))" \
    "id:1005,\
    phase:2,\
    block,\
    t:none,t:urlDecodeUni,t:cmdline,\
    log,\
    msg:'Potential Remote Command Execution: Log4j CVE-2021-44228', \
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/137/6',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/1',\
    ver:'OWASP_CRS/3.4.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

The previous rule can be used in Coraza to stop attacks, just check the example:

This rule supports A LOT of exploit variations and bypasses.

Leave a Reply

Your email address will not be published. Required fields are marked *