Barracuda WAF and WAF-as-a-Service limit the Apache Log4j Critical Vulnerability

Barracuda Web Application Firewall hardware and virtual appliances; Barracuda CloudGen WAF on AWS, Azure, and GCP; Barracuda WAF-as-a-Service; and Barracuda LoadBalancer ADC do not use Log4j, and hence are not affected by this vulnerability. Please visit the Barracuda Trust Center to stay up to date as we will continue to share further updates.

Details of the vulnerability

Log4j is a Java-based logging audit framework within Apache. Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. The vulnerability impacts default configurations of several Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, which are utilized by numerous organizations from Apple, Amazon, Cloudflare, Twitter, Steam, and others.

The vulnerability is triggered by sending a specific string to the log4j software which means it is simple to exploit, and the broad utilization of this software means there are multiple attack vectors. Over the course of the past few days, we have seen attackers increasingly obfuscate their reconnaissance and exploit attempts for this vulnerability.

CVSS: 10 - Critical

CVE: CVE-2021-44228

Attack detection and protection

Barracuda WAF-as-a-Service

We are rolling out new signatures to detect the log4j exploit attempts and block them. These signatures have been updated to handle the latest evasions seen in the field as of December 13, 2021. These signatures and settings will block both GET and POST requests that are attempting this exploit.

Barracuda Web Application Firewall & Barracuda CloudGen WAF

The latest signatures for this vulnerability are being rolled out to units in the field. These signatures and settings will block both GET and POST requests that are attempting this exploit. While these signatures detect variations that have been seen so far, we continue to update them as newer variants pop up. As a best practice, we recommend patching your log4j installations to the latest versions that have this issue fixed.

To learn more about the new signatures and settings required for this mitigation, please review this campus document.

For any assistance with these settings or questions regarding the attack patterns, contact Barracuda Networks Technical Support.