WAF Setting CVE-2021-44228

Question

Dear AWS,

thank you for reacting so quickliy to mitigate CVE-2021-44228. We have enabled AWS WAF for our workloads but see some room for improvement:

**check all headers**

It looks as if the WAF filteres nicely all strings that might result in an JNDI call. But it looks as if not every header is checked. So we see 'x-forward-for' or 'http_user_agent' headers in our logs that contain malicious data without being blocked (they have Status Code 200 instead of 403). Examples: ;-) are not possible due to the AWS WAF.

**suppress malicious content**

Even if the WAF works nicely and blocks the malicious content, an entry is written to the logs. So a unpatched system reading this log will be bitten by the vulnerability. In our case it is the AWS Opensearch and we should be fine. But the possibility to have something like "don't log blocked requests" might be an idea for improvement. Doing so on the AWS side would help people to really "don't even get in contact" with malicious content.

Just my 2 cents ;-)

Warm regards from Munich!

Thorsten

Answer

Hi Thorsten,

thank you for the feedback. We continue to iterate the AWSManagedRulesKnownBadInputsRuleSet Rule Group as we learn more. To receive automatic updates to the AWSManagedRulesKnownBadInputsRuleSet, please choose the default version - see https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ for the latest updates.

Re the log filtering, you can add filtering to specify which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied during the request evaluation. You can use the awswaf:managed:aws:known-bad-inputs:Log4JRCE label as log filter. See https://docs.aws.amazon.com/waf/latest/developerguide/logging-management.html and https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs for additional details.

WAF Setting CVE-2021-44228

관련 콘텐츠