F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Mitigate Apache strut2 vulnerability, cve-2017-5638

Problem this snippet solves: F5 has updated the official KB article K43451236 on AskF5 to include an enhanced version of the iRule below that will protect your vulnerable web servers behind the BIG-...
Published Mar 07, 2017
Version 1.0
application delivery
BIG-IP
iRules
security
Jobs_Hu_135845's avatar
Jobs_Hu_135845
Icon for Nimbostratus rankNimbostratus
Mar 10, 2017

The RCA is the function 'findText' will execute the injection code. That means, before execute the injection code, attacker need to trigger an exception.

 

Thus, the necessary and sufficient conditions are as below:

 

  • The Request contains 'Content-Type'
  • The Content-Type contains 'multipart/form-data'
  • The Content-Type should be illegal to trigger Error Key 'struts.messages.error.content.type.not.allowed'

(refer to: https://cwiki.apache.org/confluence/display/WW/File+UploadFileUpload-AlternateLibraries)

 

This maybe explained why the FW vendor's sig is using starts_with like below (currently, most PoC codes are added additional characters in the beginning of Content-Type):

 

if {($ctheader contains "multipart/form-data") and not($ctheader starts_with "multipart/form-data")}{

I suspect that if modify the PoC string like 'haha%{}multipart/form-data' or 'multipart/form-datahaha%{}' may have same result. That means 'starts_with' may not be exact enough for block the injection. Therefore, I would prefer to choose Linjing's irule. It would be better.