We’re excited to introduce the Native Node, a new deployment option for the Wallarm Node that operates independently of NGINX. This solution was developed for environments where NGINX is not required or where a platform-agnostic approach is preferred. 

The Native Node allows both request and response analysis with Wallarm connectors. It is currently designed for connectors and supports deployment with MuleSoft, Cloudflare, and CloudFront. 

In addition, the Native Node now supports new connectors, allowing you to secure APIs running through Kong API Gateway and Envoy, expanding its use for modern API management solutions.

To provide flexibility across various self-hosted environments, we have released several deployment artifacts for the Native Node:

• All-in-one installer for Linux-based machines
• Docker image for containerized environments
• Helm chart for Kubernetes deployments

If you are wondering if Native Node is right for your deployment, please contact support or read the documentation. 

We are excited to announce the release of Wallarm Node 5.0! This major update represents a significant shift in our technology stack, bringing enhanced performance and scalability to your Wallarm deployment.

Key Highlights:

• New Technology Stack: The Wallarm node has been re-engineered from a Ruby-based implementation to Go, resulting in a faster, more scalable, and resource-efficient solution.
• Performance Improvements: The Wallarm Postanalytics module’s performance has been improved:
  • CPU Usage: Reduced from 0.5 CPU cores to just 0.1 CPU cores.
  • Memory Usage: Lowered by 400 MB at a traffic rate of 500 requests per second.

File System Updates:

• Consolidated Logging: Logs from almost all services are now recorded in a single file, wcli-out.log, simplifying log management.
• Updated Diagnostic Script Path: The diagnostic script has been moved to /opt/wallarm/collect-info.sh from its previous location.

Important Notes:

• This release focuses on technical refactoring and does not introduce any changes in functionality. All features supported in the previous version (4.10) are retained in 5.0.

For a detailed overview of all changes and update instructions, please refer to our updated documentation.

A recent supply chain attack has compromised over 100,000 websites through the popular Polyfill JavaScript library. The library is widely used to ensure compatibility with modern JavaScript features in older browsers. Different web applications and Content Management Systems (e.g. Magento), include code that introduces static script imports of JavaScript code sourced from cdn.polyfill.io.

Earlier this year, a Chinese company acquired the Polyfill domain. The attackers used the control of the domain to distribute malicious JavaScript code instead of legitimate libraries. This allows performing arbitrary malicious activity in the context of the victim's browser: redirecting users to phishing sites, stealing sensitive information, or even further propagating malware.

The attack is similar to stored Cross-Site Scripting (XSS) and does not require any actions from the victim other than visiting a web page. Successful attacks have already been recorded on other websites.

The Wallarm platform detects the compromised applications and the corresponding web pages with static imports of JavaScript code from the *polyfill.io domain and other malicious domains involved in this campaign: (kuurza[.]com, googie-anaiytics[.]com, bootcss[.]com, macoms[.]lanewcrbpc[.]com, polyfill[.]io, bootcdn[.]net, staticfile[.]net, unionadjs[.]com, xhsbpza[.]com).

Check the vulnerabilities page in the Wallarm console for the vulnerability “Malicious JavaScript injection via supply chain attack (polyfill.io)” as demonstrated on the figure below. If the vulnerability was found:

1. Consider removing the Polyfill library entirely from the application’s dependencies.

2. Ensure that there are no references to malicious domains in the source code: (kuurza[.]com, googie-anaiytics[.]com, bootcss[.]com, macoms[.]lanewcrbpc[.]com, polyfill[.]io, bootcdn[.]net, staticfile[.]net, unionadjs[.]com, xhsbpza[.]com).

3. If Polyfill functionality is needed, consider using trustworthy alternatives.

4. Investigate potential incidents of attacks on your application users.

If the vulnerability was not found, we still recommend analyzing the source code of all projects, especially those not protected with the Wallarm platform.

An update to our filtering node is live. Node 4.10.7 is designed to support new features, and to address number of performance updates. 

This version of the Wallarm node includes updates for several NGINX versions. Full details are included in our updated documentation. 

Other key changes are:

• API Specification Enforcement no longer requires manual NGINX configuration
• Optimized OpenAPI data type detection by the API Discovery module

We have also updated documentation for our all-in-one installer including detailed information about migration from from DEB/RPM packages to AiO.

Today we'd like to announce a new version of our filtering node. Node 4.10.6 is designed to support new features, but also includes a number of performance updates. 

The key features include:

• Enhanced OpenAPI data type detection by the API Discovery module
• Improved memory utilisation in long-lived gRPC connections
• Added support for NGINX v1.26.0
• Fixed compatibility issues with the Kong Gateway
• Return proper non-zero exit codes during installation errors, addressing previous issues
• Ability to test regular expressions intended for user-defined attack detectors

Full details are included in our updated documentation. 

We are excited to announce the release of the latest update to Wallarm Node, version 4.10.4, which is now available for installation.

This update includes several performance improvements that enhance your overall experience with our software.
Key updates in this version include:

• Added support for API Specification Enforcement (Coming Soon!)
• Added support for GraphQL API Protection (Coming Soon!)
• Added support for NGINX v1.25.4

Previous updates 4.10.3 and 4.10.2 introduced:

• Internal improvements for higher reliability and security, including better synchronization between the filtering node and Wallarm Cloud, and reducing overall node memory usage.

• Fixed vulnerabilities:

  • CVE-2021-43809
  • CVE-2023-48795

We have also upgraded 4.8.9 performance for Nginx Ingress reducing CPU resources consumption by half.

These changes reflect our ongoing commitment to quality and customer satisfaction.

For detailed information and instructions, please refer to our documentation.

We've updated the Wallam platform to support filtering for 282 additional known vulnerabilities in the Attacks section.

When Wallarm detects an attack, the platform attempts to identify whether the attack is attempting to exploit a known vulnerability (CVE) in a specific software component. The decision is made based on the request structure, malicious payload, parameter names, metadata, and more. The updates released in Q1 2024 included new attribution rules for 282 vulnerabilities (CVEs), the majority of which are notable, recent, or widely exploited vulnerabilities observed among all Wallarm traffic. 

Wallarm users are able to find exploitation attempts of a specific vulnerability by simply typing the CVE identifier in the “CVEs and Exploits” search field in the Attacks section of the Wallarm Console.

Searching for a specific vulnerability allows users to identify attacks on their infrastructure using recently published exploits. It may also be useful for conducting a retrospective analysis during the incident investigation process.

The following example demonstrates searching for exploitation of Auth Bypass in TeamCity (CVE-2024-27198).

As of this update, Wallarm users are currently able to search for 1505 vulnerabilities.

On Friday April 12, Palo Alto disclosed that some versions of PAN-OS are not only vulnerable to remote code execution, but that the vulnerability has been actively exploited to install backdoors on Palo Alto firewalls. A patch is expected to be available on April 14th.The advisory from Palo Alto is here. The CISA advisory is here. Palo Alto has marked this vulnerability as critical and NVD has scored it a 10.0 with CVSSv3. 

Wallarm currently detects attacks against this vulnerability with no additional configuration required. Wallarm will block these attacks as long as the filtering nodes are configured in blocking mode. Wallarm users who have protected their Palo Alto devices with Wallarm nodes can search for these attacks either by filtering for the CVE ID using the “CVEs and Exploits” filter or by filtering for their vulnerable Palo Alto devices and the attack type “RCE.” 

Customers can also search their Palo Alto logs for requests to /api with an XML body containing . 

In March, Wallarm issued a significant update of our detection rules for multiple attack types. The most impactful improvements were aimed at detection of Remote Code Execution, Local File Exclusion, Server Side Template Injections and Command Injection attacks.

In addition, new indicators of Out-of-Band (OOB/OAST) attack techniques were added to the product.

The update also included detection of the critical, widely-exploitable vulnerabilities listed below:

• Server-Side Request Forgery in NextJS
• Auth Bypass in TeamCity (CVE-2024-27198)
• Auth Bypass in TeamCity (CVE-2024-27199)
• Arbitrary File Read Vulnerability Leading to RCE in Jenkins (CVE-2024-23897)
• Authentication Bypass in Fortra GoAnywhere MFT (CVE-2024-0204)
• OS Command Injection in MajorDoMo  (CVE-2023-50917)
• Account Takeover via Password Reset in GitLab (CVE-2023-7028)
• Remote Code Execution in Apache OFBiz (CVE-2023-51467)
• Adobe ColdFusion WDDX Deserialization Gadgets (CVE-2023-44353)
• Adobe ColdFusion Pre-Auth RCE (CVE-2023-29300)
• Remote Code Execution in Juniper(CVE-2023–36845)
• Authentication Bypass in Ivanti ICS (CVE-2023-46805)

We highly recommend that customers validate whether these components are used in their infrastructure and update them to the latest versions.

We are excited to introduce our latest new feature: NIST CSF 2.0 Dashboards for the Wallarm platform. These dashboards offer a high-level overview of Wallarm security controls that comply with the NIST CSF version 2.0, empowering teams to effectively assess the security level of their APIs. Utilizing the NIST Cybersecurity Framework, our product now delivers comprehensive insights into your security posture, aligning with industry standards and best practices. This feature is designed to guide you through identifying, protecting, detecting, and responding to cybersecurity threats, ensuring a resilient infrastructure. Leverage this new dashboard to assess and improve your API and application security controls.

You can find more detailed information about this feature in our documentation.