Azure Front Door Web application firewall (WAF) policy rule for Remote Command Execution is disabled
Description
Using a vulnerable version of Apache Log4j library might enable attackers to exploit a Lookup mechanism that supports making requests using special syntax in a format string which can potentially lead to a risky code execution, data leakage and more. Set your Front Door Web Application Firewall (WAF) to prevent executing such mechanism using the rule definition below. Azure WAF has updated Default Rule Set (DRS) versions 1.0 and 1.1 with rule 944240 "`Remote Command Execution`" under Managed Rules to help in detecting and mitigating this vulnerability. This rule is already enabled by default in block mode for all existing WAF Default Rule Set configurations. Learn more around https://nvd.nist.gov/vuln/detail/CVE-2021-44228[CVE-2021-44228]
Code Example
resource "azurerm_frontdoor_firewall_policy" "example" {
name = "example"
resource_group_name = "example"
managed_rule {
type = "Microsoft_DefaultRuleSet"
version = "1.1"
override {
rule_group_name = "JAVA"
rule {
action = "Block"
enabled = true
rule_id = "944240"
}
}
}
}Remediation
Terraform
- Resource: azurerm_frontdoor_firewall_policy
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0640 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_133 |