Query regarding Port LockDown and HTTPD Process Update // K52145254
Regarding Temporary Mitigation with Self IP ( https://support.f5.com/csp/article/K52145254 )
We have seen “Allow Default” for one of the Self IP which carries Production Traffic. If I change it to “Allow None” Service wise what will be the Impact ?
Regarding Temporary Mitigation of All Network Interfaces Section. ( https://support.f5.com/csp/article/K52145254 )
Below is a 6 step process specifically talking about modifying HTTPD Process provided at above Doc . SERVICE wise what impact will be if i do below 7 step change. ? I have mostly WEB Services hosted at F5 which mostly use HTTP profile in VIP Configuration. My question will also be if making this 7 step process will impact F5 Traffic ?
All network interfaces
To eliminate the ability for unauthenticated attackers to exploit this vulnerability, add a LocationMatch configuration element to httpd. To do so perform the following procedure:
Note: Authenticated users will still be able to exploit the vulnerability, independent of their privilege level.
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
- Log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
2.Edit the httpd properties by entering the following command:
edit /sys httpd all-properties
Note: This will put you into the vi editor
3.Locate the line which starts with include none and replace it with the following:
include '
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
'
Write and save the changes to the configuration file by entering the following vi commands:
Esc
:wq!
When further prompted to Save Changes (y/n/e) enter y
4.Save the configuration by entering the following tmsh command:
save /sys config
5.Exit the tmsh shell by typing quit and press enter
6.Check if the workaround has been correctly inserted to the configuration, by comparing the output of the following command to the configured LocationMatch fragment inserted in step 3:
grep -C1 'Redirect 404' /etc/httpd/conf/httpd.conf
The output should match:
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
Note: You may disregard any leading white spaces
7.To activate the mitigation, restart the httpd service by entering the following command:
restart sys service httpd
And my question is How I verify Temporary workaround has solved the Vulnerability.