Forum Discussion
CVE-2021-44228 irule mitigation?
Hi @Daniel Martinez,
the following iRule will check the headers and the payload of any POST request for the stringand reject them.
This iRule is provided "as is", without a warranty that it is a guaranteed protection against this CVE or any kind of performance testing.
Patching your servers, or using AWAF or Threat Campaigns is the better alternative.
Currently, in my opinion, the best read on this vulnerability is: https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/
AWAF, TC and NGINX App Protect signatures are available: https://support.f5.com/csp/article/K19026212
KR
Daniel
- EDIT1: Since the vulnerability is applicable to any input field, I added also query parameters to be searched for the string .
- EDIT2: Updated to match regex for variants of LDAP, LDAPS, DNS, RMI
- EDIT3: added URI::decode to discover obfusction, as suggested by John Alam. Thanks for the hint!
Still not scanning the entire HTTP request with - EDIT 4: copy/pasted the code in as an image for syntax highlighting and to pass infrastructure rules that won't allow for "malicious" code. -lz
- Daniel_WolfDec 11, 2021MVP
In case someone is interested, here is my Postman Collection which I used for testing:
https://raw.githubusercontent.com/webserverdude/f5-general/main/iRules/CVE-2021-44228.postman_collection.json
In the same repo there's the current version of the iRule > rule_mitigate_CVE-2021-44228.irul
- Daniel_WolfDec 11, 2021MVP
Last update from my side. F5 has provided iRules to mitigate CVE-2021-44228 here: https://support.f5.com/csp/article/K19026212
Due to a more strict regex the F5 iRule will also protect you against the recently observed more obfuscated variants such as:
I'm done.
- Daniel_WolfDec 14, 2021MVP
Hi @danielm,
usually I am not asking for this, but the Log4shell issue is kind of important.
Could you please mark this question as "Answered"? Under each answer there is "Select As Best", which is equivalent to "Answered". Just select my above answer as best. This way other community members can find the iRule mitigation for CVE-2021-44228 faster and easier.
Thanks in advance & KR
Daniel
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com