Mitigation for Log4J (CVE-2021-44228)

M

Last update: December 22nd 2021

Many of us, today, struggle with the Log4J security issue (CVE-2021-44228). It will take a long time to fix all apps, as the Apache log4J framework is built deep into several apps. For many of my customer’s apps, it’s still not clear, if whether they are affected, or not. At the same time, there are already exploits out there, allowing attackers to get shell access to affected machines. So what to do?

I found a pretty good analysis from Qualis.

We could use Citrix ADC’s (NetScaler’s) WAF feature to mitigate. Citrix recently released 4 signatures #999077-9990780 for their WAF. These signatures will mitigate the issue (Credits to Ronan O., he posted it on LinkedIn). Just add four simple rules, and your application is back to a safe state. I would really do this, no matter, if your applications are affected, or not (we still don’t know this for most of our applications).

In Parallel, Citrix released a paper about the security of their own products. The good news: Neither Citrix ADC, nor Citrix ADM, uses Log4J. Therefore, these products are not affected. At the very bottom, where you stopped reading long ago because you thought everything had already been said, they published a responder policy. It is there no more, and I don’t know why it’s gone, but it seems worthwhile applying. So we have 2 approaches: The WAF and the responder approach.

Warning: This might not be a 100 % secure solution. But it might be the best solution we currently have! Read the original by Ronan O., on LinkedIn, including comments, for concerns. This is mainly about the WAF-solution, but may also be true about the responder-solution. I also have added some guidelines about testing.


What to do? The responder-solution

The responder policy uses a pattern set. It contains the strings typical for this exploit. The policy expression looks very confusing (if it weren’t for the pattern-set, it would look even more confusing).

This is the pattern-set:

add policy patset patset_cve_2021_44228
bind policy patset patset_cve_2021_44228 ldap
bind policy patset patset_cve_2021_44228 http
bind policy patset patset_cve_2021_44228 https
bind policy patset patset_cve_2021_44228 ldaps
bind policy patset patset_cve_2021_44228 rmi
bind policy patset patset_cve_2021_44228 dns

So you see it’s a list containing the usual verbs.

add responder policy res_pol_mitigate_exploit_cve_2021_44228
"HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR(\"${\").BEFORE_STR(\"}\").CONTAINS(\"${\")
||
HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS(\"${:
}/+\").AFTER_STR(\"jndi\").CONTAINS_ANY(\"patset_cve_2021_44228\") ||
HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR(\"${\").BEFORE_STR(\"}\").CONTAINS(\"${\")
||
HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.
SET_TEXT_MODE(IGNORECASE).STRIP_CHARS(\"${:
}/+\").AFTER_STR(\"jndi\").CONTAINS_ANY(\"patset_cve_2021_44228\")" DROP
-logAction log_CVE2021_44228

The policy does a simple drop. That’s absolutely fine to do, an attacker does not need much feedback. The -logaction parameter is mine. I always log security-related information, that’s why I’m using it. Of course, there has to be a logging policy as well, and it has to be created ahead of creating the policy:

add audit messageaction log_CVE2021_44228 WARNING
"\"CVE2021_44228 exploit from \" + CLIENT.IP.SRC + \" with https://\" +
HTTP.REQ.HOSTNAME + HTTP.REQ.URL + \" Body: \" + HTTP.REQ.BODY(4096) +
\" Headers: \" + HTTP.REQ.FULL_HEADER"

You see, I log the client IP, the HTTP method, the URL (including all query strings), a potential HTTP body, and all headers. Don’t forget to turn on user-configurable log messages!

This logs a message starting with CVE2021_44228, as it’s always important to have a string like that to grep for. This is the typical outcome of this log (In this case, the problem was in the headers, I blurred sensitive information, as the log came from a customer’s ADC):

I bound this responder policy globally, so it affects everything going into my webserver.
bind responder global res_pol_mitigate_exploit_cve_2021_44228 10000 END -type REQ_DEFAULT


What to do? The WAF-solution

If you still don’t have WAF enabled, you should enable the feature.

enable feature AppFW

Next, navigate to Security → Citrix WebApp Firewall → Signatures. Click update signatures. To create new signatures, select the default signatures, click add.

Mitigate Log4J using Citrix ADC/NetScaler
enable the four security checks 999077 to 999080. Save the signature file.

If you don’t already use WAF, navigate to Security → Citrix WebApp Firewall →Profiles. Create a new profile, type default, HTML. Open “Security Checks” on the far right side and clear all checkboxes (that’s important to not destroy your application!). Open “Profile Settings” on the far right side, and add these signatures to the profile (signatures are almost at the end of these settings). Click OK.

Log4j NetScaler/Citrix ADC mitigation

Last, navigate to Security → Citrix WebApp Firewall → Policies. Create a new policy, select true as action, and bind it to your lb vServers, or, in complex scenarios probably better, globally to your ADC. That’s it. Thank’s Citrix, you saved my weekend!

Last, navigate to Security → Citrix WebApp Firewall → Policies. Create a new policy, select true as action, and bind it to your lb vServers, or, in complex scenarios probably better, globally to your ADC. That’s it. Thank’s Citrix, you saved my weekend!


Testing

Never believe, something is secure, just because somebody says, it’s secure! So you have to test. There are already plenty of “test-strings”, but also exploits, out there. Encode these strings, using URL-Encoding. The string might be utterly everywhere: In the URL, in headers, in form fields. Use excessive percent-encoding throughout your testing: For example, you could replcae the $ sign with %24, but the % sign in %24could get replaced by %25. So a $ sign could look like %2524. You might – of course – also encode these numbers, so instead of %24 you could use %24%32%34. For example, you might use this table.

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security.

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruch (https://www.youtube.com/watch?v=UvdF145Lf2I)

Add comment

By Johannes Norz

Recent Posts

Recent Comments