Update: all three WAF rules have now been configured with a default action of BLOCK.
A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).
This vulnerability is actively being exploited and anyone using Log4j should update to version 2.15.0 as soon as possible. The latest version can already be found on the Log4j download page.
If updating to the latest version is not possible the vulnerability can be mitigated by removing the JndiLookup class from the class path. Additionally, the issue can be mitigated on Log4j versions >=2.10 by setting the system property log4j2.formatMsgNoLookups or the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.
Customers using the Cloudflare WAF can also leverage three newly deployed rules to help mitigate any exploit attempts:
Rule ID
Description
Default Action
100514 (legacy WAF)6b1cc72dff9746469d4695a474430f12 (new WAF)
Log4j Headers
BLOCK
100515 (legacy WAF)0c054d4e4dd5455c9ff8f01efe5abb10 (new WAF)
Log4j Body
BLOCK
100516 (legacy WAF)5f6744fa026a4638bda5b3d7d5e015dd (new WAF)
Log4j URL
BLOCK
The mitigation has been split across three rules inspecting HTTP headers, body and URL respectively.
We are continuing to monitor the situation and will update any WAF managed rules accordingly.
More details on the vulnerability can be found on the official Log4j security page.
Who is affected
Log4j is a powerful Java based logging library maintained by the Apache Software Foundation.
In all Log4j versions >= 2.0-beta9 and <= 2.14.1 JNDI features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.