Any Traefik issues with the Log4J vulnerability?

The Log4J zero day vulnerability released Friday night (12/10) is for the Log4j Java library. Traefik is obviously written in Go, but I have seen mentions of other cautions and wanted to check.

Are there any vulnerability issues with Traefik 2.0+ and the Log4J vulnerability?

Hello @GoingOffRoading ,

Indeed Traefik is not affected at all by the vulnerability, but being a common proxy solution for people using affected backends there are mentions and questions here and there.

The main question is how can you secure your affected backend that is exposed by Traefik until you can fix its code permanently.

We have two options here, the first being a simple addition of a HeadersRegexp matching on the router to filter out the user-agent header. That approach does not cover all use cases but it's quick and easy enough for the most common ones.

The second and more complete approach would be to write a custom plugin.

You can find an example for the first approach here, and we are working to create an example plugin soon.

1 Like

Hello @GoingOffRoading

We have just released the plugin that block malicious request on a proxy level, so the request will not be forward to the backend with the affected Log4j library.

Here are details: https://traefik.io/blog/how-traefik-plugins-protect-your-apps-against-the-log4j-vulnerability/

and here is the plugin: GitHub - traefik/plugin-log4shell: Log4Shell is a middleware plugin for Traefik which blocks JNDI attacks based on HTTP header values.

Thank you,

Thanks for bringing this to our attention.

How do I generate the token value in

[pilot]
token = "xxx"

Hello @mnsmithuk

The Pilot token will be generated once you register the Traefik instance at https://pilot.traefik.io/
The easiest way to achieve that is deploy Traefik dashboard and register the instance through the dashboard, than you will get the token that should be added to the static configuration.

I hope that helps,
Thank you

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.