Novel JSON Function Use in SQL Injection

On the 9th of December 2022, Fastly began investigation into a novel attack vector recently demonstrated in a blog post by security researchers, Claroty’s Team82. It uses JSON functions within SQL injection (SQLi) payloads that may not currently be detected by our NextGen and Legacy WAF products. Since the publication of this new attack vector, our teams have been working to extend detections for Fastly WAF products. Our teams have released a new scoring rule for the Fastly Legacy 2020 WAF that customers may deploy at their convenience.Our team plans to release initial updates for Next Gen WAF Edge deployments, and a new agent version, that address this novel form of SQL injection later today. CloudWAF instances will be updated shortly thereafter. Fastly will not be releasing new rules to address this issue for pre-2020 Legacy WAF. Pre-2020 Legacy WAF customers may contact securitysupport@fastly.com for assistance upgrading to 2020 or Next-Gen WAF options.

We've improved our agent's SQLI detection to address this attack vector.To take advantage of this improved detection you will need to upgrade your agents to version 4.36.1. Our documentation on how to upgrade your agents can be found here: https://docs.fastly.com/signalsciences/upgrading/upgrading-an-agent/ If you are using a Cloud WAF or Edge Deployment, our team is currently upgrading these agents to take advantage of this improved SQLI detection.If you have any questions please reach out securitysupport@fastly.com

Fastly Next Generation WAF Edge deployments have now been updated to extend SQLI detections. No customer action is required to leverage these improvements.

Cloud WAF deployments have now been updated to extend SQLI detections.