Mitigate Apache strut2 vulnerability, cve-2017-5638

Problem this snippet solves: F5 has updated the official KB article K43451236 on AskF5 to include an enhanced version of the iRule below that will protect your vulnerable web servers behind the BIG-...
Published Mar 07, 2017
Version 1.0
application delivery
BIG-IP
iRules
security
John_Alam_45640's avatar
John_Alam_45640
Historic F5 Account
Mar 09, 2017

Here is a modified version which takes care of false positive mentioned above, removes the POST request checking and, adds a few more values to the white-list.

 

Inspecting Content-Type from GET requests requires a much larger white-list and increases the chance for blocking legitimate requests. It also reduces the effectiveness of this iRule and therefore this iRule is not to be trusted to provide complete protection. White-listing values may not be good for all applications.

 

The best protection is using a WAF. Check here.

 

WARNING: the iRule below can produce false-positives and block legitimate traffic. Make sure you adjust the list of Content-types for you application before relying on this iRule.

 

when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::header value "Content-Type"]] {
        "" - 
        "multipart/form-data" -
        "text/xml; charset=utf-8" - 
        "text/???" -
        "text/javascript" -
        "image/??? -
        "image/jpeg" -
        "text/html" -
        "multipart/form-data; boundary=*" -
        "application/x-javascript" -
        "application/x-www-form-urlencoded" {
             Allow request with empty or white listed "Content-Type" headers
        }
        default {
             Reject request with unknown "Content-Type" headers
            reject
            log local0. "Rejecting a request with Content-type [HTTP::header Content-Type]  to  [HTTP::uri]  from  [IP::client_addr]"
        }
    }

}