This collection should show how haproxy can be configured to block log4shell attacks using regex.
The method described here should be viewed as an alternative to the "official" solution:
December/2021 – CVE-2021-44228: Log4Shell Remote Code Execution Mitigation
The main problem is that attackers may obfuscate the attack string in a way that it is very difficult or impossible to detect by regex. Using a WAF is a better way to deal with the issue.
There is a tool to create randomly obfuscated attack strings. It could be used by an administrator to test the robustness of blocking rules:
log4j-payload-generator
There is a tool that administrators can use to detect problems related to log4shell in their infrastructure:
log4shell-detector
Under "issues", someone suggested to use a regex (will be used here):
Doing just the same using a RegEx #5
Use the suggested solution here at your own risk. Published under MIT license:
https://mit-license.org/
There is a very complex regex which can be put into a separate file, in order to make the haproxy.cfg file look tidy. However, the regex also could be used "inline" in the haproxy.cfg file.
Notice:
The below files are incomplete as a haproxy configuration, and cannot be used as is. They are just to be regarded as an illustration on how the solution is implemented.
There are two ways to implement it (either/or):
- With separate ACL file
haproxy.cfgfile only
This solution may be suitable for haproxy (Community Edition) and the commercial HAProxy HAPEE version.
File: /etc/haproxy/acls/isregex_log4shell.acl
# RegEx against Log4Shell vulnerability
# used from https://github.com/Neo23x0/log4shell-detector/issues/5
(?:\$|%24)(?:{|%7[Bb]).{0,30}(?:j|J|%[64][Aa]).{0,30}(?:n|N|%[64][Ee]).{0,30}(?:d|D|%[64]4).{0,30}(?:i|I|%[64]9).{0,30}(?::|%3[Aa]).{0,30}(?:(?:l|L||%[64][Cc]).{0,30}(?:d|D|%[64]4).{0,30}(?:a|A|%[64]1).{0,30}(?:p|P|%[75]0)(?:.{0,30}(?:s|S|%[72]3))?|(?:r|R|%[72]2).{0,30}(?:m|M|%[64][Dd]).{0,30}(?:i|I|%[64]9)|(?:d|D|%[64]4).{0,30}(?:n|N|%[64][Ee]).{0,30}(?:s|S|%[72]3)).{0,30}(?::|%3[Aa])
File: haproxy.cfg
frontend www
mode http
# Fix against Log4j Log4Shell vulnerability
http-request deny if { url,url_dec -i -m reg -f /etc/haproxy/acls/isregex_log4shell.acl }
http-request deny if { req.hdrs -i -m reg -f /etc/haproxy/acls/isregex_log4shell.acl }
This solution may be suitable for the commercial HAProxy ALOHA version, as separate ACL files are not supported.
File: haproxy.cfg
frontend www
mode http
# Fix against Log4j Log4Shell vulnerability
http-request deny if { url,url_dec -i -m reg (?:\$|%24)(?:{|%7[Bb]).{0,30}(?:j|J|%[64][Aa]).{0,30}(?:n|N|%[64][Ee]).{0,30}(?:d|D|%[64]4).{0,30}(?:i|I|%[64]9).{0,30}(?::|%3[Aa]).{0,30}(?:(?:l|L||%[64][Cc]).{0,30}(?:d|D|%[64]4).{0,30}(?:a|A|%[64]1).{0,30}(?:p|P|%[75]0)(?:.{0,30}(?:s|S|%[72]3))?|(?:r|R|%[72]2).{0,30}(?:m|M|%[64][Dd]).{0,30}(?:i|I|%[64]9)|(?:d|D|%[64]4).{0,30}(?:n|N|%[64][Ee]).{0,30}(?:s|S|%[72]3)).{0,30}(?::|%3[Aa]) }
http-request deny if { req.hdrs -i -m reg (?:\$|%24)(?:{|%7[Bb]).{0,30}(?:j|J|%[64][Aa]).{0,30}(?:n|N|%[64][Ee]).{0,30}(?:d|D|%[64]4).{0,30}(?:i|I|%[64]9).{0,30}(?::|%3[Aa]).{0,30}(?:(?:l|L||%[64][Cc]).{0,30}(?:d|D|%[64]4).{0,30}(?:a|A|%[64]1).{0,30}(?:p|P|%[75]0)(?:.{0,30}(?:s|S|%[72]3))?|(?:r|R|%[72]2).{0,30}(?:m|M|%[64][Dd]).{0,30}(?:i|I|%[64]9)|(?:d|D|%[64]4).{0,30}(?:n|N|%[64][Ee]).{0,30}(?:s|S|%[72]3)).{0,30}(?::|%3[Aa]) }