Follow

Q&A: Can Silverline Protect Against Apache Log4j RCE Exploit CVE-2021-44228 and CVE-2021-45046

Question

Can F5 Silverline WAF protect against the critical RCE vulnerability in Apache log4j, CVE-2021-44228 (aka Log4Shell)?

 

Environment

  • Silverline DDoS
  • Silverline WAF

 

Answer

F5 Silverline has implemented mitigating controls to detect and block known exploit vectors for CVE-2021-44228.  We are actively monitoring the evolving threat landscape and will continue to implement additional protections as necessary.

 

Mitigation via WAF signature

Silverline WAF customers are protected by existing signature IDs providing broad coverage against JSP/JDNI injection attacks:

  • 200004450
  • 200004451
  • 200004474

Silverline has deployed additional signatures to mitigate known exploit vectors specific to CVE-2021-44228:

  • 200104768
  • 200104769
  • 200104770
  • 200104771
  • 200104772
  • 200104773

F5 Silverline WAF - Signature Update, 2021 December 22

Silverline added further attack signatures to cover against evolving log4j vulnerabilities, including CVE-2021-45046.

  • 200104774
  • 200104775
  • 200104776

F5 Silverline WAF - Signature Update, 2022 January 5

Silverline added further attack signatures to cover against evolving log4j vulnerabilities, including CVE-2021-45046.

  • 200104722 

 

 

These signatures are initially deployed in alarm-only mode and must be specifically enforced in order to block traffic. Please Contact SOC / Contact Silverline Support to have this done.

 

Mitigation via iRule (self-service):

Note: This iRule must only be used on HTTP/HTTPS services types.

Note: The iRule will not work for proxies on v11. 

 

WAF policies provide the best long-term mitigation method, but there is also an iRule-based mitigation which offers following advantages:

  • can be deployed self-service
  • can be attached to proxies with WAF policies that are in transparent mode or where the new ASM signatures are still in staging
  • can be modified to provide customized protection

iRule details:

  • Name: http_only_log4j_rce_block
  • Location: iRule Management
  • Description:
    • drops requests with known CVE-2021-44228 vectors in HTTP header values or HTTP paths
    • generates an iRule events titled http_only_log4j_rce_block

To enable this iRule:

The iRule will be in the Undeployed tab.  Click Deploy and is should move to the Deployed tab making it available for deployment.  If it doesn't deploy contact the SOC.

 

Additional Notes:

CVE-2021-44228 is being actively exploited in the wild, and threat actors continue to tune attack vectors to evade detection.  F5 Silverline threat research teams are actively monitoring the situation and will tune/adjust protections accordingly.  However, given the criticality of this vulnerability, F5 Silverline highly recommends application teams update log4j to the recently released version 2.15.0 per https://logging.apache.org/log4j/2.x/security.html

 

Related Content

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request