Mitigate Apache strut2 vulnerability, cve-2017-5638
Published Mar 07, 2017
Version 1.0Was this article helpful?
Here is another iRule that can block most but NOT all attacks. This irule is based on attack signatures that be been seen.
If you decide to use this iRule please test it thoroughly against your application to make sure it does not block legitimate requests.
when HTTP_REQUEST {
if {([HTTP::header exists "Content-Type"])}{
set ctheader [string tolower [HTTP::header "Content-Type"]]
if {($ctheader contains "multipart/form-data") and (($ctheader contains "'") or ($ctheader contains "ognl") or ($ctheader contains "java.lang") or ($ctheader contains "bash") or ($ctheader contains "cmd") or ($ctheader contains "org.apache")) }{
log local0. "Found Struts S2-045 attack! Rejecting a request with Content-type [HTTP::header "Content-Type"] to [HTTP::uri] from [IP::client_addr]"
if you do not want to reset the connection, then comment out the lien below
reject
}
}
}
Here is another irule that reference a famous FW vendor's sig, Pls test:
when HTTP_REQUEST {
if {([HTTP::header exists "Content-Type"])}{
set ctheader [string tolower [HTTP::header "Content-Type"]]
if {($ctheader contains "multipart/form-data") and not($ctheader starts_with "multipart/form-data")}{
log local0. "Found Struts S2-045 attack! Rejecting a request with Content-type [HTTP::header "Content-Type"] to [HTTP::uri] from [IP::client_addr]"
if you do not want to reset the connection, then comment out the lien below
reject
}
}
}