For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Let iRules Work Around that ASP.NET Padding Oracle Attack

Microsoft released advisory 2416728 on Friday after researchers Thai Duong and Juliano Rizzo demonstrated the attack on ASP.NET with their Padding Oracle Exploit Tool.  The attack itself preys on a b...
Published Sep 20, 2010
Version 1.0
application delivery
dev
devops
iRules
oracle
partner
security
us
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Sep 20, 2010
@Bertand This solution applies pre and post-3.5SP1 unless I'm reading the advisory wrong.

 

 

@Matt I only implemented the specified workaround, not any additional recommendations. You are correct in that you could add a delay, but would be better without the variable, and would look more like this:

 

 

after [expr [expr { int(10000 * rand()) }] +2000]