They’ve suggested blocking ${ in the request

Icingdeath · on June 3, 2022

Using nginx in front of my local confluence server (not listening on the internet) and used the following:

  location ~\* \$\{. {
          deny all;
  }

but this only helps if this vulnerability is triggered using the request uri otherwise it's useless

bombcar · on June 3, 2022

Anyone know how you'd quote it for Apache rewrite?

        RewriteEngine On
        RewriteCond %{REQUEST_URI} ^.*\${.*$
        RewriteRule ^/(.*) https://google.com [R=302,L]

seems to work ...

justin_oaks · on June 3, 2022

The security advisory from Atlassian says blocking ${ "may reduce your risk". That's a far cry from being a fix.

technion · on June 3, 2022

I really worry about these sort of claims. I'm seeing pushback from people about shutting servers down because it's insisted "a WAF is protecting us now", and that's based on a "may reduce risk".

tyingq · on June 3, 2022

I would worry about just using that blocking pattern. They mention OGNL injection and ${ is just one pattern you can go after. There's also #{, %{, #var, and more.

richbell · on June 3, 2022

Same issue with log4shell. "Why are you bugging us? We already applied <mitigation posted 2 weeks ago that has since been disproven>."

jpetrucc · on June 3, 2022

posting a snippet for HAProxy in case its helpful to someone else (or if others have recommendations on how to better do this)

  http-request deny if { path -m sub ${ }
  http-request deny if { query -m sub ${ }
  http-request deny if { path -m sub $%7B }
  http-request deny if { query -m sub $%7B }
  http-request deny if { path -m sub %24%7B }
  http-request deny if { query -m sub %24%7B }