Forum Discussion
NimbostratusHow to block /_async/* and /wls-wsat/* at the F5 Load Balancer for Oracle WebLogic server.
Critical remote code execution vulnerability found in Oracle WebLogic server.
Can you please suggest how to block /_async/* and /wls-wsat/* at the F5 Load Balancer.
Is it possible do it via irule on LTM or any other way.
Thank you
Dario_GarridoNoctilucent
Three ways to do it...
Using 'contains':
when HTTP_REQUEST { if {{ [string tolower [HTTP::uri]] contains "_async" } || { [string tolower [HTTPS::uri]] contains "wls-wsat" }} { drop } }Using 'starts_with'
when HTTP_REQUEST { if {{ [string tolower [HTTP::uri]] starts_with "/_async" } || { [string tolower [HTTP::uri]] starts_with "/wls-wsat" }} { drop } }But the best option is to configure a policy in LTM which has exactly the same options I'm using in the previous iRules and is faster.
REF - https://devcentral.f5.com/articles/ltm-policy
KR, Dario.
davidfisherCirrus
is this a good way to use irules to just block a CVE? cant we use asm to do this?
This irule is creating a problem with the f5 maintenance page irule which we are using.
I have these irules applied, and the moment I add the one with maintenance page, the connection just starts dropping..
=-=-= ### MAINT PAGE IRULE when HTTP_REQUEST { if { [active_members XXX_pool] == 0 } { HTTP::respond 200 content [ifile get main-image] } } ****** when HTTP_REQUEST { if {[HTTP::has_responded]}{return} if { [HTTP::path] equals "/" } { HTTP::respond 302 Location "https://testing.com/testingweb/common/tesnet.jsf" Strict-Transport-Security "max-age=16070400" return } } ****** when HTTP_REQUEST { set uri [string tolower [HTTP::uri]] if { ( $uri contains "/wls-wsat/") or ( $uri contains "/_async/") } { drop } } =-=-=