Hello there,
If you don't know yet, a CVE was published on friday about library log4j,
allowing a remote code execution with a crafted HTTP request.
We would like to filter these requests on HAProxy to lower the exposition.
At peak times, 20% of our web traffic is scanners about this bug !
The offended string is "${jndi:". It must be filtered on any fields that
could go to log servers:
- URL
- User-Agent
- User name
What would be the easier way to do that ? If I give it a try :
http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or
hdr_sub(user-agent) -i "\$\{jndi:" }
What do you think ?
Olivier
