Forum Discussion
Hi @Daniel Martinez,
the following iRule will check the headers and the payload of any POST request for the stringand reject them.
This iRule is provided "as is", without a warranty that it is a guaranteed protection against this CVE or any kind of performance testing.
Patching your servers, or using AWAF or Threat Campaigns is the better alternative.
Currently, in my opinion, the best read on this vulnerability is: https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/
AWAF, TC and NGINX App Protect signatures are available: https://support.f5.com/csp/article/K19026212
KR
Daniel
- EDIT1: Since the vulnerability is applicable to any input field, I added also query parameters to be searched for the string .
- EDIT2: Updated to match regex for variants of LDAP, LDAPS, DNS, RMI
- EDIT3: added URI::decode to discover obfusction, as suggested by John Alam. Thanks for the hint!
Still not scanning the entire HTTP request with - EDIT 4: copy/pasted the code in as an image for syntax highlighting and to pass infrastructure rules that won't allow for "malicious" code. -lz
In case someone is interested, here is my Postman Collection which I used for testing:
https://raw.githubusercontent.com/webserverdude/f5-general/main/iRules/CVE-2021-44228.postman_collection.json
In the same repo there's the current version of the iRule > rule_mitigate_CVE-2021-44228.irul