![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 73%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGT%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,063 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Thank you for reaching out.
Based on my understanding of your question above, while performing a Checkov scan on your terraform module, you were prompted to apply a fix for Apache Log4j 2 vulnerability.
The remote code execution (RCE) vulnerabilities in Apache Log4j 2 referred to as “Log4Shell” (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) had presented a new attack vector and gained broad attention due to its severity and potential for widespread exploitation.
In response to this threat, Azure Web Application Firewall (WAF) has updated OWASP ModSecurity Core Rule Set (CRS) version 3.0/3.1/3.2 available for Azure Application Gateway V2. For Azure Application Gateway V2 regional deployments, new rule Known-CVEs/800100 was introduced in the rule group Known-CVEs under Managed Rules. Customers are recommended to enable WAF policy with OWASP ModSecurity Core Rule Set (CRS) versions 3.0/3.1/3.2 on Application Gateway V2 to immediately enable protection from this threat. This is currently documented in this blog post here.
Based on the link you shared above.
If you have already enabled OWASP ModSecurity Core Rule Set (CRS) version 3.0/3.1/3.2 ruleset for your WAF then you need to take no further action as you are protected from Apache Log4j 2 vulnerability.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 80%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)