Forum Discussion

danielm1's avatar
danielm1
Icon for Cirrus rankCirrus
Dec 11, 2021

CVE-2021-44228 irule mitigation?

Hello there, Is there any iRule mitigation for the CVE-2021-44228? In support askf5 there is a mitigation using ASM but if I don't have it yet. Could I use an iRule?   Regards, Daniel
ASM Advanced WAF
LTM
security
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP

Hi @Daniel Martinez​,
the following iRule will check the headers and the payload of any POST request for the stringand reject them.

This iRule is provided "as is", without a warranty that it is a guaranteed protection against this CVE or any kind of performance testing.

Patching your servers, or using AWAF or Threat Campaigns is the better alternative.

Currently, in my opinion, the best read on this vulnerability is: https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/

AWAF, TC and NGINX App Protect signatures are available: https://support.f5.com/csp/article/K19026212

KR

Daniel

  • EDIT1: Since the vulnerability is applicable to any input field, I added also query parameters to be searched for the string 
  • EDIT2: Updated to match regex for variants of LDAP, LDAPS, DNS, RMI
  • EDIT3: added URI::decode to discover obfusction, as suggested by John Alam​. Thanks for the hint!
    Still not scanning the entire HTTP request with
  • EDIT 4: copy/pasted the code in as an image for syntax highlighting and to pass infrastructure rules that won't allow for "malicious" code. -lz
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Dec 11, 2021

Last update from my side. F5 has provided iRules to mitigate CVE-2021-44228 here: https://support.f5.com/csp/article/K19026212

Due to a more strict regex the F5 iRule will also protect you against the recently observed more obfuscated variants such as:

I'm done.

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Dec 14, 2021

    Hi @danielm,

     

    usually I am not asking for this, but the Log4shell issue is kind of important.

    Could you please mark this question as "Answered"? Under each answer there is "Select As Best", which is equivalent to "Answered". Just select my above answer as best. This way other community members can find the iRule mitigation for CVE-2021-44228 faster and easier.

     

    Thanks in advance & KR

    Daniel