DEV Community

Cover image for Log4j Exploit Pattern Detection Using ColdFusion/CFML
James Moberg
James Moberg

Posted on • Updated on

Log4j Exploit Pattern Detection Using ColdFusion/CFML

Here are my initial attempts at trying to detect Log4j exploit attempts that may make it past our WAF/service provider protections. While our WAF stopped requests from Trend Micro's Log4j Tester, obfuscated requests made it through. At time of testing, Azure wasn't blocking requests. I had to be a little careful with the script as Windows kept instantly quarantining the CFM files and prevented ColdFusion from executing the template.

2021-12-29: Updated rules based on Google Cloud article to additionally block rmi, ldaps & dns (in addition to stripping whitespace.)

Sample CFML code available at https://gist.github.com/JamoCA/6a8c612645b1b7c47eba8e317ad51d23

Discussion (0)