Mitigate Apache strut2 vulnerability, cve-2017-5638
Published Mar 07, 2017
Version 1.0Was this article helpful?
Todd's comment is correct. Here is a revised version of the irule that I believe will address this:
when HTTP_REQUEST {
if { [HTTP::method] equals "POST" || [HTTP::method] equals "GET" } {
switch -glob -- [string tolower [HTTP::header value "Content-Type"]] {
"" -
"multipart/form-data; boundary=*" -
"multipart/form-data" -
"text/xml" -
"text/xml; charset=utf-8" -
"application/x-www-form-urlencoded" {
Allow request with empty or white listed "Content-Type" headers
}
default {
Reject request with unknown "Content-Type" headers
reject
}
}
}
}