cancel
Showing results for 
Search instead for 
Did you mean: 

spring4shell iRules yet?

mbean
Altostratus
Altostratus

Anyone have an irule to help alleviate this yet?

 

re: https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

 

"

WAF protection

On network protection devices such as WAF, implement rule filtering for strings such as "class.*", "Class.*", "*.class.*", and "*.Class.*" according to the actual traffic situation of deployed services. After filtering the rules, test the business operation to avoid additional impact.
1 ACCEPTED SOLUTION

Aaron_Brailsford
F5 Employee
F5 Employee

F5 has published additional Advanced WAF rules for CVE-2022-22965 (Spring4Shell) and CVE-2022-22963 (Spring Cloud RCE), in addition to the 0-day coverage provided by several existing rules: https://support.f5.com/csp/article/K24912123

While you could likely use the log4j iRule as a base and modify it to contain your desired rules for Spring4Shell et al, I would caution that it is much more efficient and robust to use a WAF like Advanced WAF or NGINX App Protect than it is to re-write that functionality in an iRule.

View solution in original post

3 REPLIES 3

Aaron_Brailsford
F5 Employee
F5 Employee

F5 has published additional Advanced WAF rules for CVE-2022-22965 (Spring4Shell) and CVE-2022-22963 (Spring Cloud RCE), in addition to the 0-day coverage provided by several existing rules: https://support.f5.com/csp/article/K24912123

While you could likely use the log4j iRule as a base and modify it to contain your desired rules for Spring4Shell et al, I would caution that it is much more efficient and robust to use a WAF like Advanced WAF or NGINX App Protect than it is to re-write that functionality in an iRule.

mbean
Altostratus
Altostratus

Thanks. I was just wondering if they were going to release an iRule to use before the WAF/ASM policies were rolled out, like was done with log4J fun times.

 

 

 

@mbean,
Just yesterday/today @Ismael_Goncalves pushed an article in CrowdSRC with a link to his GITHub with an iRule that may help.
https://community.f5.com/t5/crowdsrc/irule-to-assist-with-cve-2022-22965-mitigation/ta-p/294241