PROTECT_CVE_2021_44228_MODE:
Description: if present, controls the mode of the rule; can be monitor, block, or off (default: off)
Yaml Path: protect.rules.cve-2021-44228.mode
Environment Variable: CONTRAST__PROTECT__RULES__CVE-2021-44228__MODE
System Property: -Dcontrast.protect.rules.cve-2021-44228.mode
You may run this CVE shield alone or along side our other rules to protect against all RCEs.
Objective
Configure the Contrast Java agent to best protect against exploitations from the log4j Zero-day (CVE-2021-44228). The initial JNDI call will not be detected but the resulting malicious response will be prevented from running as it is an Expression Language injection attack at this point.
Process
To configure Protect to block via the Contrast UI:
Following guidance on our documentation site for configuring Protect rules. Navigate to your application and select the Protect tab. In the Find rule search, look for the following rules and pull down the arrow to select block in any environments where this is desired.
- Expression Language Injection
- OGNL Injection
- Untrusted Deserialization
See the following video for more help on how to enable blocking for your applications.
Once set it will take around 5-10 minutes for the new configuration to be pushed down to running agents automatically.
To configure Protect to block via the Agent's local configuration:
The following Protect parameters are needed:
DEFEND_EL_INJECTION_MODE:
Description: if present, controls the mode of the rule; can be monitor, block, or off (default: off)
Yaml Path: protect.rules.expression-language-injection.mode
Environment Variable: CONTRAST__PROTECT__RULES__EXPRESSION-LANGUAGE-INJECTION__MODE
System Property: -Dcontrast.protect.rules.expression-language-injection.mode
DEFEND_OGNL_MODE:
Description: if present, controls the mode of the rule; can be monitor, block, or off (default: off)
Yaml Path: protect.rules.ognl-injection.mode
Environment Variable: CONTRAST__PROTECT__RULES__OGNL-INJECTION__MODE
System Property: -Dcontrast.protect.rules.ognl-injection.mode
DEFEND_DESERIALIZATION_MODE:
Description: if present, controls the mode of the rule; can be monitor, block, or off (default: off)
Yaml Path: protect.rules.untrusted-deserialization.mode
Environment Variable: CONTRAST__PROTECT__RULES__UNTRUSTED-DESERIALIZATION__MODE
System Property: -Dcontrast.protect.rules.untrusted-deserialization.mode
The agent can be updated via YAML, Environmental Variable or System properties. The following example shows how this is configured for the YAML file.
Yaml example:
protect:
enable: true
rules:
ognl-injection.mode:
mode: block
expression-language-injection.mode:
mode: block
untrusted-deserialization:
mode: block
Once configured on the agent the application will need to be restarted for these to take effect.