Vulnerabilities in log4j

Fastly engineers have released a new version of Rule ID: 4100050* "Log4j2 - 2.14.1 JNDI possible RCE attempt" for Fastly Legacy WAF. This new version resolves a bug that may have reduced the efficacy of this rule. Fastly Legacy WAF customers are advised to update to the latest version of this rule as soon as possible to ensure the best possible levels of coverage for their accounts.

Strict Enforcement rules for Legacy WAF as well as Fastly 2020 and Signal Sciences Next-Gen WAFs are not affected and do not require any customer action at this time.

Fastly Engineers have released a new version of Log4j Strict Enforcement Rules to increase coverage while reducing false positives for both Fastly 2020 WAF and SignalScience Next-Gen WAF.

There is no action required for customers utilizing this rule in Signal Science implementations, however Fastly 2020 WAF customers must manually activate this new version.

For more information about managing Fastly 2020 WAF rules, please visit https://docs.fastly.com/en/guides/managing-rules-on-the-fastly-waf

As we continue to monitor the rapidly evolving situation with the log4j vulnerability, our Security Research and Engineering teams have completed several iterations of our Fastly WAF and Signal Sciences Next-Gen WAF CVE rules. Signal Sciences Next-Gen WAF implementations automatically receive updates to rules as they are released without any customer action required. Fastly Legacy and Fastly 2020 WAF implementations require customer action to implement updated rules.

For more information on how to update the legacy Fastly WAF rule set or individual rules in the Fastly 2020 WAF please visit

Legacy Fastly WAF - https://docs.fastly.com/en/guides/fastly-waf-rule-set-updates-maintenance-legacy#updating-to-the-latest-rules.
Fastly 2020 WAF - https://docs.fastly.com/en/guides/about-the-fastly-waf-rule-management-interface-legacy#adding-new-rules-to-your-waf

Going forward we will post updates to our status pages as new versions of these rules are made available.

Our efficacy testing has shown that these rules provide excellent coverage in protecting our customers from a wide range of variants and attacks, with minimal false positives.

While these rules are being used widely by a variety of customers with great results, a number of customers have asked for a method to provide more strict coverage, though it increases the risk of false positives and the possibility of blocking a portion of legitimate traffic. To accommodate this request, we have created a second set of, “strict enforcement rules.” These are titled:

Fastly WAFs: Log4j2 - 2.14.1 JNDI possible RCE attempt - strict
Signal Sciences WAF: CVE-2021-44228-STRICT

We recommend only using these rules as a last resort while working to patch your environment, due to the increased risk of blocking legitimate traffic.

Please contact our support teams if you have any questions or need any assistance updating these rules at support@fastly.com.

Fastly has just published a blog post,

https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j

about the Log4j vulnerability. This blog includes background information on the vulnerability, Fastly's observations we've seen so far, and details on how to block exploitation attempts.

Fastly is aware of a serious vulnerability in log4j. We have developed defenses to assist customers in the mitigation of this vulnerability.

For Sciences Next-Gen WAF customers: You can enable this a new templated rule in the Signal Sciences console by going to Site Rules -> Templated Rules. Look for CVE-2021-44228 and click View. Click Configure. Check the box next to Enabled and click “Update rule”.

For Fastly Legacy WAF customers: please contact the CSOC at securitysupport@fastly.com for assistance with VCL snippets to protect your CDN services.