Wallarm changelog
Wallarm changelog
www.wallarm.com

Update on new DoS security issue in Log4j (CVE-2021-45105)

 

API Security

  

A new Log4j attack vector can potentially lead to the Denial of Service attack and the application crash. CVE-2021-45105 has been issued (the severity for this is classified as High - 7.5).

  • Wallarm Research Team has already verified that the Wallarm attack engine can detect CVE-2021-45105 exploits.
  • Attempts at exploitation will be automatically blocked in a blocking mode. When working in a monitoring mode, consider creating a virtual patch
  • A new fixed version of Log4j (2.17) has been published by Apache. Upgrades are highly recommended.

Update on Log4Shell (CVE-2021-44228)

 

API Security

  

Quick update

  • Wallarm has rolled out the update to detect and mitigate CVE-2021-44228.
  • No additional actions are required from the customers
  • Attempts at exploitation will be automatically blocked in a blocking mode
  • When working in a monitoring mode, consider creating a virtual patch

Log4Shell

A 0-day exploit in the Java core library log4j was discovered that results in Remote Code Execution (RCE) by simple 1-line exploit with JNDI url. Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. Read more.

The attack surface is very wide, since it’s almost impossible to find any single Java project without the log4j library enabled. It affects internal services and APIs that are based on Java and uses other API and application data to log them.

Wallarm update

Wallarm automatically identifies attempts of the Log4Shell exploitation and logs these attempts in the Wallarm Console. Corresponding changes have been added within two hours after the first information about CVE-2021-44228 has been published.

image.png

You can search for the relevant events by using filter by CVE:

image.png

Mitigation

When using Wallarm in blocking mode, these attacks will be automatically blocked. No actions required.

When using a monitoring mode, we suggest creating a virtual patch. Feel free to reach out to support@wallarm.com if you need assistance.

Simplified configuration of bruteforce protection

 

API Security

  

It's now easier to configure protection against API abuse, bruteforce or dirbusting attacks. Use an updated interface of Triggers:

  • The Bruteforce trigger defines classic bruteforce attack protection against specific URI based on the number of incoming requests.

  • The Forced browsing trigger forced browsing attacks allows to protect your apps against dirbusting (based on application 404 response codes)

In the simplest case, it is enough to enter the URI when creating the trigger. Wallarm will collect statistics from all the distributed Wallarm nodes deployed across your whole infrastructure.

image.png

When required, you can also use regular expressions (for example. wildcard URLs) or specify specific request headers (such as cookies) using the advanced view. Read more in our documentation.

Note: There is no need to edit your existing rules. However, previous rules “Add forced browsing attack tag to requests”, “Add brute force attacks tag to requests” will no longer be visible in the Rules section.

Wallarm Node 3.4 released

 

New

  

news-pic-placeholder (1).png

The new version of Wallarm Node is released. We recommend planning an upgrade soon.

The main changes for Node 3.4:

  • Added support for CloudLinux OS 6.x
  • Version of Envoy used in the Wallarm Envoy-based Docker image has been increased to 1.18.4

Wallarm Node 2.18 and lower are no longer supported. Note: Existing nodes will continue to operate as usual. However, we won't provide hotfixes and will limit support requests.

Before upgrading the agents, please carefully review the list of changes and general recommendations. Should you have any questions, feel free to contact our support team at support@wallarm.com.

Updates from Wallarm’s detection team (October 2021)

 

API Security

  

new-detects.png

We are happy to share recent work on the quality of attack and vulnerability detection!

We have added the support for new attack type detection: SSTI, SSI and Email Injection.

The rule set for detection of other attack types (SQLi, XSS, Path Traversal, Scanner, RCE) is now wider and more accurate.

We have also added the rules for Wallarm Scanner to detect new vulnerabilities in applications:

The changes are already supported by the Wallarm components. Additional product configuration to apply the changes is not required.

Microsoft Teams integration

 

New

  

news-pic-placeholder (6).png

Notifications to your Microsoft Teams channel are now available. Get updates for security and system events:

  • Vulnerabilities detected
  • Scope changed: updates in hosts, services, and domains
  • Exceeded threshold of attack, hit, or incident number
  • Newly added users
  • Deleted or disabled integration

Read more about setting up the integration with Microsoft Teams on our documentation portal.

URI constructor for rule conditions

 

New

  

news-pic-placeholder (4).png

Now rule conditions can be configured faster. It is enough to specify a request address in the newly added URI constructor form, and we will automatically convert it to a variety of conditions for each request point. The conversion result can be extended in the advanced edit form you used before.

The URI constructor accepts regular expressions and several other formats. For more information, check our documentation.

New rules

 

New

  

news-pic-placeholder.png

Reduce the number of false positives by using the following rules:

With other rule types, you can also add headers to the server response or control the mode of the Active threat verification module. For the detailed description of the new rules, check our documentation.

P.S. If our support team has already created these rules, they will be displayed in the Rules section.

Blocking countries, Tor nodes, proxies, and data centers

 

New

  

news-pic-placeholder (1).png

Should your customers come from data centers? Not typically. It could be helpful to exclude some of the traffic sources to improve the security of applications and APIs.

With Wallarm, you can block traffic originated from a specific country based on compliance requirements ,or block Tor exit nodes and popular proxy servers frequently generating a lot of malicious requests.

Wallarm also identifies and displays in the Wallarm Console the IP address sources, i.e countries, data centers, VPN, and residential proxies.

Read more about the new blocking features on our documentation portal.

We rely on the data from 3rd party providers including IP2Location which is a partner of Wallarm.

Wallarm Node 3.2 Released

 

New

 

 

news-pic-placeholder.png

We are pleased to announce the general availability of the Wallarm Node 3.2. This is a major update recommended to install.

Highlights

  • Support for new filtration mode, safe blocking
  • Management of IP address whitelist via the Wallarm Console
  • Ability to whitelist, blacklist, or greylist a subnet, Tor network IPs, VPN IPs, a group of IP addresses registered in a specific country or data center
  • Ability to whitelist, blacklist, or greylist request sources for specific applications
  • New module API Discovery that automatically identifies the application API structure based on real traffic analysis
  • The number of requests originated from blacklisted IPs is now displayed in the statistic service output, in the new parameter blockedbyacl and in the existing parameters requests, blocked

How to upgrade

Upgraded packages of Wallarm node are already available for installation from the repositories, AWS AMI and GCP VM images. The migration guide is available on the docs portal.