Regarding CVE-2021-44228 I am curious if there is a middleware/router that would prevent an attacker for sending the ${jndi: in the request payload or headers. This issue is already supported by WAF (Google, AWS, Azure).
Hello @vs-dsva
Thanks a lot for using Traefik and rising that important topic.
The easiest way is creating a router that use HostRegexp to match the incoming request, e.g.
- "traefik.http.routers.log4jbomb-patch.rule=Host(`log4j.127.0.0.1.nip.io`) && HeadersRegexp(`User-Agent`, `.*jndi:.*`)"
- "traefik.http.routers.log4jbomb-patch.service=noop@internal"
That solution will mitigate only a basic use case and more advanced solutions is in process of developing.
Please note this is not the ideal solution because implementing the regular expression will not protect if the request is more tricky e.g.
'User-Agent: ${${lower:j}ndi:ldap://127.0.0.1/a}'
However, as I mentioned we are working on having plugin that can be assigned with Middleware to protect the vulnerable backend.
Will keep you posted once the plugin will be ready!
3 Likes
As I previously mentioned we have just released the plugin that blocks the malicious request on a proxy level, so the request will not be forward to the backend with the affected Log4j library.
Here are details: https://traefik.io/blog/how-traefik-plugins-protect-your-apps-against-the-log4j-vulnerability/
and here is the plugin: GitHub - traefik/plugin-log4shell: Log4Shell is a middleware plugin for Traefik which blocks JNDI attacks based on HTTP header values.
Thank you,
May be better use rule with maximum priority like:
http:
routers:
CVE-2021-44228:
priority: 10000
rule: "PathPrefix(`/`) && HeadersRegexp(`User-Agent`, `.*?(\\$\\{|jndi|ldap).*`)"
service: noop@internal
entryPoints:
- https
tls: {}
It still only for one header. It block every request with ${
@jakubhajek Why are you using Host rule?
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.