How-To configure Protect to block CVE-2021-44228 exploitations

  • Updated
 A new Contrast Java agent has been released (3.9.0.23766) which adds a CVE shield for  CVE-2021-44228 exploitations. While our out-of-the box Protect rules provided very good protection against log2j exploitations. This shield adds additional protection by stopping attacks earlier,  preventing log4j from looking up JNDI values. This CVE shield can be configured from the Contrast UI along with the other rules (below).   Or this can be configured directly via the agent with the following configuration.
PROTECT_CVE_2021_44228_MODE:

Description: if present, controls the mode of the rule; can be monitor, block, or off (default: off)

Yaml Path: protect.rules.cve-2021-44228.mode
Environment Variable: CONTRAST__PROTECT__RULES__CVE-2021-44228__MODE
System Property: -Dcontrast.protect.rules.cve-2021-44228.mode

 You may run this CVE shield alone or along side our other rules to protect against all RCEs. 

Objective

Configure the Contrast Java agent to best protect against exploitations from the log4j Zero-day (CVE-2021-44228).  The initial JNDI call will not be detected but the resulting malicious response will be prevented from running as it is an Expression Language injection attack at this point. 

Process

To configure Protect to block via the Contrast UI:

Following guidance on our documentation site for configuring Protect rules.  Navigate to your application and select the Protect tab.  In the Find rule search, look for the following rules and pull down the arrow to select block in any environments where this is desired. 

  • Expression Language Injection
  • OGNL Injection
  • Untrusted Deserialization

See the following video for more help on how to enable blocking for your applications. 

Once set it will take around 5-10 minutes for the new configuration to be pushed down to running agents automatically. 

 

To configure Protect to block via the Agent's local configuration:

The following Protect parameters are needed:

DEFEND_EL_INJECTION_MODE:

  Description: if present, controls the mode of the rule; can be monitor, block, or off (default: off)

  Yaml Path: protect.rules.expression-language-injection.mode
  Environment Variable: CONTRAST__PROTECT__RULES__EXPRESSION-LANGUAGE-INJECTION__MODE
  System Property: -Dcontrast.protect.rules.expression-language-injection.mode

DEFEND_OGNL_MODE:

  Description: if present, controls the mode of the rule; can be monitor, block, or off (default: off)

  Yaml Path: protect.rules.ognl-injection.mode
  Environment Variable: CONTRAST__PROTECT__RULES__OGNL-INJECTION__MODE
  System Property: -Dcontrast.protect.rules.ognl-injection.mode
DEFEND_DESERIALIZATION_MODE:

Description: if present, controls the mode of the rule; can be monitor, block, or off (default: off)

  Yaml Path: protect.rules.untrusted-deserialization.mode
  Environment Variable: CONTRAST__PROTECT__RULES__UNTRUSTED-DESERIALIZATION__MODE
  System Property: -Dcontrast.protect.rules.untrusted-deserialization.mode

The agent can be updated via YAML, Environmental Variable or System properties.   The following example shows how this is configured for the YAML file. 


Yaml example:

protect:
  enable: true
  rules: 
    ognl-injection.mode: 
      mode: block
    expression-language-injection.mode:
      mode: block
untrusted-deserialization:
mode: block

Once configured on the agent the application will need to be restarted for these to take effect. 

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request