Forum Discussion
CVE-2021-44228 irule mitigation?
Hi @Daniel Martinez,
the following iRule will check the headers and the payload of any POST request for the stringand reject them.
This iRule is provided "as is", without a warranty that it is a guaranteed protection against this CVE or any kind of performance testing.
Patching your servers, or using AWAF or Threat Campaigns is the better alternative.
Currently, in my opinion, the best read on this vulnerability is: https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/
AWAF, TC and NGINX App Protect signatures are available: https://support.f5.com/csp/article/K19026212
KR
Daniel
- EDIT1: Since the vulnerability is applicable to any input field, I added also query parameters to be searched for the string .
- EDIT2: Updated to match regex for variants of LDAP, LDAPS, DNS, RMI
- EDIT3: added URI::decode to discover obfusction, as suggested by John Alam. Thanks for the hint!
Still not scanning the entire HTTP request with - EDIT 4: copy/pasted the code in as an image for syntax highlighting and to pass infrastructure rules that won't allow for "malicious" code. -lz
In case someone is interested, here is my Postman Collection which I used for testing:
https://raw.githubusercontent.com/webserverdude/f5-general/main/iRules/CVE-2021-44228.postman_collection.json
In the same repo there's the current version of the iRule > rule_mitigate_CVE-2021-44228.irul
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com