KrakenD unnaffected by Log4j
by Albert Lombarte
The year 2021 ended with terrible news for Java developers who saw how the Log4J vulnerabilities exposed their systems.
KrakenD is a Go application and not a Java application. Therefore, it is not affected by this vulnerability in any way. As a result, we didn’t want to add more noise to the chain of emails you could have probably received.
Nevertheless, during the past month, we had questions from customers who have Java systems behind KrakenD that could be vulnerable and other users that weren’t sure if KrakenD was impacted or not. So we want to explain in this email what can KrakenD do to help.
KrakenD uses a zero-trust policy when routing requests to the connected backends by default. The default policy for data forwarding works as follows:
- No query string parameters are forwarded
- No headers are forwarded
- No cookies are forwarded
The Log4j vulnerability works when malicious users forge the input of HTTP headers, and they open the door to execute arbitrary code in a Java system. So we were able to see things like users playing Doom on a Minecraft server on the Internet.
As KrakenD always had this no-trust policy set by default, the result is that if you have Log4j vulnerable systems behind KrakenD, by default the malicious headers won’t reach your Java backends (unless you have explicitly configured them to do so!).
As per the KrakenD configuration, regardless of the underlying backend technology you use (Java or not), our constant recommendation is not to enable policies that forward everything. Avoid these two patterns in KrakenD configurations to discard unexpected injections:
{
"headers_to_pass": ["*"],
"querystring_params":["*"]
}
And pass the headers and querystrings you recognize.
More vulnerabilities like Log4j will appear in the future, and header injection is not something new. By having a zero-trust approach on KrakenD, we hope to help you once more in the future.
Happy new year, and code safe!