Help
CodeShare
Have some code. Share some code.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Apache Log4j2 (CVE-2021-44228) mitigation iApp

PeteWhite
F5 Employee
F5 Employee

on ‎15-Dec-2021 09:10 - edited on ‎08-Feb-2022 14:23 by Community Manager

Problem this snippet solves:

There is a CVE released related to Apache log4j, which could be a vulnerability on a server located behind the BIG-IP.

F5 SIRT have helpfully created an iRule to mitigate this vulnerability, this is an iApp to simplify creation and management of the iRule.

How to use this snippet:

Install the iApp Template

  • Download and unpack the archive
  • Login to BIG-IP TMUI and navigate to iApps>Templates
  • Hit Import button, select the template and hit Upload

Create an iRule instance

  • Navigate to iApps>Application Services>Applications
  • Hit Create button, enter a relevant Name and select the log4j2_mitigation template
  • Set the Debug Level ( Off, Attack or Debug ). Off = no logs, Attack = logs in the case of an attack detected, Debug = more detailed logs
  • Hit Finished - iRule should be created

rtaImage (7).png

Assign iRule to virtual server

  • Navigate to LTM>Virtual Servers.
  • Click on the Virtual Server, navigate to Resources tab
  • Click Manage button under iRules section, add iRule. Note the Virtual Server must have an assigned http profile for this iRule, otherwise it will throw an error.

Manage iRule

  • If you have issues with the iRule or want to modify logs, navigate to iApps>Application Services>Applications and click on the deployed service.
  • Navigate to the Reconfigure tab, make changes and hit Finished

Tested this on version:

15.1

Labels:
0 Kudos
Comments
Niels_van_Sluis
MVP
MVP
‎18-Dec-2021 00:55

Hi Pete, Nice! Thanks for sharing. Maybe you can also make it possible to modify the priority setting, so you can give it a higher priority when multiple iRules are being used on the same virtual server.

0 Kudos
PeteWhite
F5 Employee
F5 Employee
‎18-Dec-2021 03:09

Thanks for the suggestion Niels, i've done that. Maybe you can try it out and let me know

0 Kudos
Niels_van_Sluis
MVP
MVP
‎19-Dec-2021 01:07

Hi Pete, just deployed it on my lab VE and it look good. Thanks!

0 Kudos
PeteWhite
F5 Employee
F5 Employee
‎20-Dec-2021 02:00

great, thanks!

0 Kudos
Juan_Cuevas
Nimbostratus
Nimbostratus
‎20-Dec-2021 11:26

Hello, can it be applied in BigIP without ASM?

0 Kudos
PeteWhite
F5 Employee
F5 Employee
‎21-Dec-2021 02:23

Hi Juan, yes it can be applied without ASM. This is an iRule that is assigned to the virtual server directly. You can obviously do this via the ASM Attack Signatures as well, which would probably be more performant.

0 Kudos
Version history
Last update:
‎08-Feb-2022 14:23
Updated by:
Community Manager
Copyright © 2023 Khoros, LLC