Protection against the Apache Log4j2 Vulnerability (CVE-2021-44228)

Please note: Since this blog's initial publishing, F5 has reviewed subsequent CVEs (CVE-2021-45046 and CVE-2021-4104) and determined that the protection mechanisms described below are effective for these vulnerabilities as well.

Since breaking on December 9, security teams around the world have been working around the clock to understand the threat posed by the Apache Log4j2 security vulnerability (CVE-2021-44228), identify their exposure, and put mitigations in place. Much has been written on the vulnerability, also referred to as Log4Shell, but in short it’s a Remote Code Execution vulnerability which means attackers can send specific data to a vulnerable application to trigger a series of actions that result in the target application being compromised. Attackers can exploit this in a variety of ways, for example, having a crypto-currency miner installed or extracting sensitive data from the application.

Vulnerabilities, exploitations, mitigation, and remediation are always disruptive, and it’s F5’s mission to do what we can to provide expertise and support for customers. Teams across F5 have been actively working on tools and guidance to help already overburdened application and security teams mitigate this significant industry threat.

We have evaluated our F5 products and services, determining based on current information that BIG-IP, NGINX, Silverline, Volterra, and Threat Stack products are not vulnerable to these issues. For F5 Managed Services, we have contacted customers through our normal communications channels. Our security advisories on AskF5 will always have the most up-to-date information on our products and mitigations for Log4j vulnerabilities:

• K19026212: Apache Log4j2 Remote Code Execution vulnerability CVE-2021-44228
• K24554520: Apache Log4j Remote Code Execution vulnerability CVE-2021-4104
• K32171392: Apache Log4j2 vulnerability CVE-2021-45046

Leveraging F5 products and services to mitigate Log4j vulnerabilities is a quick and effective means to mitigate the risk these CVEs pose to your environment. For long-term remediation, we urge our customers and their development teams to upgrade or remove (if no longer needed) any vulnerable Log4j libraries from the applications.

You'll find more detailed information below on the ways we are providing support through comprehensive and responsive security solutions across our portfolio of products and services.

F5 Security Incident Response Team (SIRT)

If you are under attack or are concerned about a vulnerability exposure, please contact F5 Support and request an escalation to the F5 SIRT. This team is available 24/7 to provide guidance on everything from patching of F5 software and systems to configuration and iRule assistance to mitigate attacks or vulnerability exposure.

BIG-IP Advanced WAF

F5 has released as set of signatures for BIG-IP Advanced WAF and ASM that block known attack vectors for Log4j vulnerabilities. Nine total signatures from the F5 Threat Research team are available as of this writing, including two that were available within hours of the initial CVE publication. We are continuously updating the signatures to enhance protection against bypass attempts, so please ensure that you have the very latest Attack Signature Update (ASU) package.

You can learn more about how to mitigate these vulnerabilities via your existing BIG-IP Advanced WAF (or ASM) policy in this security advisory.

BIG-IP iRule

For F5 BIG-IP customers that are not using Advanced WAF or ASM capabilities, an F5 iRule can be applied to applications to detect, log, and drop the offending traffic targeting specific CVEs. Our initial security advisory has more information and guidance for implementing the iRule.

NGINX App Protect

NGINX App Protect customers receive signature updates simultaneous to BIG-IP Advanced WAF customers, ensuring consistent application security regardless of F5 platform. To mitigate related vulnerabilities via your NGINX App Protect configuration, please ensure your signatures are updated, review this document, and ensure that the “Server Side Code Injection” attack type is enabled for your WAF policy. Additional context is available in a recently published blog post.

Volterra WAF

Our Volterra WAF platform, like NGINX App Protect and BIG-IP Advanced WAF, received updated signatures to further mitigate any exposure related to Log4j vulnerabilities. These signatures are now included in the default WAF policy and no additional action is required for our Volterra WAF customers to mitigate this threat.

F5 Silverline

The F5 Silverline team has implemented the necessary mitigations to ensure customer applications are protected from the applicable vulnerabilities. The F5 Silverline SOC is continuously monitoring for threats and will apply necessary mitigations and protections in coordination with our threat research team and our customers. The Silverline team operates as an extension of your own AppSec team, working 24/7 on your behalf.

If you have specific questions on your Silverline configuration, please contact the SOC at: support@f5silverline.com and to learn more about Silverline services, please visit: https://www.f5.com/es_es/products/security/silverline

Threat Stack

F5 recently acquired Threat Stack and welcomes the significant inspection, detection, and reporting capabilities that the Threat Stack service offers. The Threat Stack service already includes several detection rules that can indicate the compromise of Log4j, including launching of services as root, services running from a shell, and escalation attempts.

If you are interested in Threat Stack services to help protect your applications from current Log4j threats as well as detect unusual activity, ensure compliance, and receive comprehensive application insights, please contact your current F5 Sales Representative or visit: https://www.threatstack.com

Shape Security

Most attempts to exploit any vulnerability begin with automated reconnaissance. With that in mind, Shape Security’s AI-driven Bot Defense is an important first line of defense to eliminate those automated scans and increase the difficulty for attackers attempting to discover this vulnerability in your Internet-facing web applications. The Shape AI Cloud enables near real-time adaptation to bot-driven automated attacks to keep pace with ever-changing tactics of attackers operating botnets. If you would like to learn more about Shape, please visit: https://www.f5.com/es_es/products/security/shape-security

Staying in the Loop

Please visit our security advisories on CVE-2021-44228, CVE-2021-4104, and CVE-2021-45046 for the most up-to-date information on F5 mitigations. In addition, customers can learn more from the following resources.

F5 Labs

• Explaining the Widespread Log4j Vulnerability
• Log4Shell: Rebooting (The Same Old) Security Principles in its Wake

DevCentral

• DC Connects Live Show on Log4j2 Vulnerability
• Mitigating Log4j (CVE-2021-44228) with AFM Protocol Inspection Custom Signatures

NGINX

•  Mitigating the Log4j Vulnerability with NGINX

We will continue to provide customers with the latest information on related vulnerabilities and will add links to resources above. Additionally, customers can subscribe to notifications regarding software releases, security alerts, and other important updates.

_______

By Scott Altman, Sr. Director of Global Security Solutions Architects, F5