Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CC-00185
- credit Snyk Research Team
Description
The 'Known bad inputs' (AWSManagedRulesKnownBadInputsRuleSet) managed rule group contains rules that block request patterns that are invalid or known to be associated with vulnerabilities, such as Log4j.
How to fix?
Set rule.statement.managed_rule_group_statement.name
to AWSManagedRulesKnownBadInputsRuleSet
and rule.statement.managed_rule_group_statement.vendor_name
to AWS
.
Additionally, rule.override_action
must not be set to count
, and the following rules must not be excluded:
Log4JRCE
Log4JRCE_ALL_HEADER
Note that the 'Log4JRCE' WAFv2 rule (and many others) only inspects the first 8 KB of the request body, so you may additionally want to ensure that the 'Core rule set' (AWSManagedRulesCommonRuleSet) is also included, as the 'SizeRestrictions_BODY' rule in that managed rule group verifies that the request body size is at most 8 KB.
Example Configuration
resource "aws_wafv2_web_acl" "valid1" {
name = "valid1"
scope = "CLOUDFRONT"
default_action {
allow {}
}
rule {
name = "valid1rule1"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}