For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

CVE-2017-9805

Problem this snippet solves:

Help mitigate CVE-2017-9805 while patching Struts2

How to use this snippet:

Apply iRule to VIP using old struts2 REST code, modify according to Your platform

Code :

when HTTP_REQUEST {
   if { [HTTP::method] eq "POST" } {
      ## Trigger the collection for up to 1MB of data
      if { [HTTP::header Content-Length] ne "" and [HTTP::header value Content-Length] <= 1048576 } {
         set content_length [HTTP::header value Content-Length]
      } else {
         set content_length 1048576
      }
      ## Check if $content-length is not set to 0
      if { $content_length > 0 } {
         HTTP::collect $content_length
      }
   }
}
when HTTP_REQUEST_DATA {
   ## Do stuff with the payload
   set payload [HTTP::payload]
     if {(($payload contains "java.lang.ProcessBuilder") || ($payload contains "java.lang.Process") || ($payload contains "/bin/sh") || ($payload contains "/bin/bash"))} {
    log local0. "to [HTTP::host] uri: [HTTP::uri]  from  [IP::client_addr] Possible CVE-2017-9805 - payload contains java or shell phrasing"
    #Comment out the following two lines and uncomment the 'reject' to silently reject the connection
    #HTTP::respond 403 content "Invalid RequestHTTP Status 403: Invalid Request"
    log local0. $payload
    #return
    reject
  }
   
}
Published Sep 12, 2017
Version 1.0
security
No CommentsBe the first to comment