Many of you are working hard on fixing the new and serious Log4j 2 vulnerability CVE-2021-44228, which has a 10.0 CVSS score.
We have helped all our customers. If you are facing an issue, and need help reach out to us@ https://aaic.cc/5r9p
Here is a Success Story
Here we are summarizing fixes required to minimize the attack of this vulnerability on the infrastructure.
Note: This is only applicable if you are using a Java-based environment with the log4j logging library enabled.
1. Mitigation using AWS WAF:
To block all the bad requests at the AWS WAF level only, make sure you have the AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList rules in AWS Managed Rules for WAF enabled. This is applicable only for WAFv2.
Reference Terraform Code:https://github.com/OllieJC/aws-log4j-mitigations/blob/main/aws_waf/rule.tf
2. Upgrade log4j:
As of writing this documentation, log4j 2.16.0 is available. In addition to fixes to the CVE, Log4j 2.16.0 disables JNDI functionality by default and removes Message Lookups as well. Make sure you are upgrading log4j to 2.16.0.
If you are not able to upgrade to the latest version, you can also delete the JNDI lookup class by using the following command:
$ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
3. Amazon OpenSearch:
Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. You should receive an email for the update on your root AWS account email address and a notification into AWS Console as well.
4. ELK Stack:
a. Upgrade to the elasticsearch version 7.16.1 which disables JNDI lookups and patched log4j jar to remove the JndiLookup class from the classpath.
b. Upgrade logstash version 7.16.1 which updates dependencies for log4j to 2.15.0
5. Scanning Local Docker Images for log4j vulnerability:
First, update your docker scan library to 0.11.0+ or update Docker Desktop to 4.3.1+.
Now you can use the docker scan command to scan your local images for log4j vulnerability.
$ docker scan elastic/logstash:7.13.3