GCP Cloud Armor policy not configured with cve-canary rule

Description

Using a vulnerable version of Apache Log4j library might enable attackers to exploit a Lookup mechanism that supports making requests using special syntax in a format string which can potentially lead to a risky code execution, data leakage and more. Set your Cloud Armor to prevent executing such mechanism using the rule definition below. Learn more around https://nvd.nist.gov/vuln/detail/CVE-2021-44228[CVE-2021-44228]

Code Example

resource "google_compute_security_policy" "example" {
  name = "example"

  rule {
    action   = "deny(403)"
    priority = 1
    match {
      expr {
        expression = "evaluatePreconfiguredExpr('cve-canary')"
      }
    }
  }
}

Remediation

Terraform

Resource: google_compute_security_policy

Rule Details

Field	Value
ID	IAC-0931
Severity	MEDIUM
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV_GCP_73

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

GCP Cloud Armor policy not configured with cve-canary rule

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

GCP Cloud Armor policy not configured with cve-canary rule ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

GCP Cloud Armor policy not configured with cve-canary rule

Description

Code Example

Remediation

Rule Details

References