iRule to mitigate CVE-2022-26134 (Confluence)
On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence. There is a patch available from Atlassian or the recommendation to disconnect vulnerable system from the internet. As far as I can see till now, there is no Threat Campaigns Signature or Attack Signature to mitigate this attack.
A bit of analysis: Parts of the POC code and example curl command snippets looks like the following examples (after URL-decoding).
In POC code and example curl command snippets attackers are creating and using an HTTP Header to return the respone.
Example response header for whoami command:
Looking at another part of the POC code and example curl command snippets, this is achieved by using setHeader.
A full curl example would look like this (note: special characters are URL encoded):
This linked iRule should help to fend off the first wave of script kiddies.
PS. I seems that part of the POC code and parts of my iRule are offending the devcentral platform. Therefore I put screenshots and Github links rather than inline code.