Last active
April 4, 2022 21:43
-
-
Save dgershman/712eabe8664fa4573f6273b639195600 to your computer and use it in GitHub Desktop.
AWS WAFv2 for Log4ShellRCE (CVE-2021-44228, CVE-2021-45046) and Spring4ShellRCE (CVE-2022-22963, CVE-2022-22965)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ... | |
| rule { | |
| name = "4ShellRCEs" | |
| priority = ? | |
| override_action { | |
| count {} | |
| } | |
| statement { | |
| managed_rule_group_statement { | |
| name = "AWSManagedRulesKnownBadInputsRuleSet" | |
| vendor_name = "AWS" | |
| excluded_rule { | |
| name = "Host_localhost_HEADER" | |
| } | |
| excluded_rule { | |
| name = "PROPFIND_METHOD" | |
| } | |
| excluded_rule { | |
| name = "ExploitablePaths_URIPATH" | |
| } | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = "4ShellRCEs" | |
| sampled_requests_enabled = true | |
| } | |
| } | |
| rule { | |
| name = "4ShellRCEs-Block" | |
| priority = ? | |
| action { | |
| block {} | |
| } | |
| statement { | |
| or_statement { | |
| statement { | |
| label_match_statement { | |
| scope = "LABEL" | |
| key = "awswaf:managed:aws:known-bad-inputs:Log4JRCE" | |
| } | |
| } | |
| statement { | |
| label_match_statement { | |
| scope = "LABEL" | |
| key = "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_HEADER" | |
| } | |
| } | |
| statement { | |
| label_match_statement { | |
| scope = "LABEL" | |
| key = "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_BODY" | |
| } | |
| } | |
| statement { | |
| label_match_statement { | |
| scope = "LABEL" | |
| key = "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_URIPATH" | |
| } | |
| } | |
| statement { | |
| label_match_statement { | |
| scope = "LABEL" | |
| key = "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_QUERYSTRING" | |
| } | |
| } | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = "4ShellRCEs-blocking" | |
| sampled_requests_enabled = true | |
| } | |
| } | |
| ... |
Updated for Spring4Shell
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This requires the use of AWS Terraform Provider 3.67.0 or greater.