cancel
Showing results for 
Search instead for 
Did you mean: 
PeteWhite
F5 Employee
F5 Employee

Problem this snippet solves:

There is a CVE released related to Apache log4j, which could be a vulnerability on a server located behind the BIG-IP.

F5 SIRT have helpfully created an iRule to mitigate this vulnerability, this is an iApp to simplify creation and management of the iRule.

How to use this snippet:

Install the iApp Template

  • Download and unpack the archive
  • Login to BIG-IP TMUI and navigate to iApps>Templates
  • Hit Import button, select the template and hit Upload

Create an iRule instance

  • Navigate to iApps>Application Services>Applications
  • Hit Create button, enter a relevant Name and select the log4j2_mitigation template
  • Set the Debug Level ( Off, Attack or Debug ). Off = no logs, Attack = logs in the case of an attack detected, Debug = more detailed logs
  • Hit Finished - iRule should be created

rtaImage (7).png

Assign iRule to virtual server

  • Navigate to LTM>Virtual Servers.
  • Click on the Virtual Server, navigate to Resources tab
  • Click Manage button under iRules section, add iRule. Note the Virtual Server must have an assigned http profile for this iRule, otherwise it will throw an error.

Manage iRule

  • If you have issues with the iRule or want to modify logs, navigate to iApps>Application Services>Applications and click on the deployed service.
  • Navigate to the Reconfigure tab, make changes and hit Finished

Tested this on version:

15.1

Comments

Hi Pete, Nice! Thanks for sharing. Maybe you can also make it possible to modify the priority setting, so you can give it a higher priority when multiple iRules are being used on the same virtual server.

PeteWhite
F5 Employee
F5 Employee

Thanks for the suggestion Niels, i've done that. Maybe you can try it out and let me know

Hi Pete, just deployed it on my lab VE and it look good. Thanks!

PeteWhite
F5 Employee
F5 Employee

great, thanks!

Juan_Cuevas
Nimbostratus
Nimbostratus

Hello, can it be applied in BigIP without ASM?

PeteWhite
F5 Employee
F5 Employee

Hi Juan, yes it can be applied without ASM. This is an iRule that is assigned to the virtual server directly. You can obviously do this via the ASM Attack Signatures as well, which would probably be more performant.

Version history
Last update:
‎08-Feb-2022 14:23
Updated by: