Many of you are working hard on fixing the new and serious Log4j 2 vulnerability CVE-2021-44228, which has a 10.0 CVSS score.
We have helped all our customers. If you are facing a issue, and need help reach out to us@ https://aaic.cc/5r9p
Here is a Success Story
Here we are summarizing fixes required to minimize the attack for this vulnerability on the infrastructure.
Note: This is only applicable if you are using a Java based environment with log4j logging library enabled.
1. Mitigation using AWS WAF:
To block all the bad requests at AWS WAF level only, make sure you have the AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList rules in AWS Managed Rules for WAF enabled. This is applicable only for WAFv2.
Reference Terraform Code:https://github.com/OllieJC/aws-log4j-mitigations/blob/main/aws_waf/rule.tf
2. Upgrade log4j:
As of writing this documentation, log4j 2.16.0 is available. In addition to fixes to the CVE, Log4j 2.16.0 disables JNDI functionality by default and
removes Message Lookups as well. Make sure you are upgrading log4j to 2.16.0.
If you are not able to upgrade to latest version, you can also delete JNDI lookup class by using following command:
$ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
3. Amazon OpenSearch:
Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. Your should receive email for the update on your root AWS Account email address and notification into AWS Console as well.
4. ELK Stack:
a. Upgrade to the elasticsearch version 7.16.1 which disables JNDI lookups and patched log4j jar to remove the JndiLookup class from the classpath.
b. Upgrade logstash version 7.16.1 which updates dependencies for log4j to 2.15.0
5. Scanning Local Docker Images for log4j vulnerability:
First update your docker scan library to 0.11.0+ or update Docker Desktop to 4.3.1+.
Now you can use docker scan command to scan your local images for log4j vulnerability.
$ docker scan elastic/logstash:7.13.3