Hi @Daniel Martinez,
the following iRule will check the headers and the payload of any POST request for the stringand reject them.
This iRule is provided "as is", without a warranty that it is a guaranteed protection against this CVE or any kind of performance testing.
Patching your servers, or using AWAF or Threat Campaigns is the better alternative.
Currently, in my opinion, the best read on this vulnerability is: https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/
AWAF, TC and NGINX App Protect signatures are available: https://support.f5.com/csp/article/K19026212
In case someone is interested, here is my Postman Collection which I used for testing:
In the same repo there's the current version of the iRule > rule_mitigate_CVE-2021-44228.irul
usually I am not asking for this, but the Log4shell issue is kind of important.
Could you please mark this question as "Answered"? Under each answer there is "Select As Best", which is equivalent to "Answered". Just select my above answer as best. This way other community members can find the iRule mitigation for CVE-2021-44228 faster and easier.
Thanks in advance & KR
this should not be the case. Unless the iRule matches the pattern of the attack, it does not alter the request going to the backend servers.
Can you compare the requests sent to the backend servers with and without the iRule? Using tools like tcpdump, wireshark or just from the log of the backend servers? Can you spot any differences in the HTTP Requests?