Question/Advice on iRule Remediating the Telerik (Unsafe Reflection Vulnerability (CVE-2025-3600)
Hi, I have the below iRule that is supposed to remediate the Telerik UI library vulnerability mentioned in the title above. The iRule is built based on their IIS URL Rewrite recommendation. I understand its logic in general but I am not a developer and I am not sure that what I am seeing is OK or not. If I test the iRule with a malicious request using Postman or curl, it works as expected, the request is blocked every time. If I test using a browser, any browser, the first request is blocked and the next one is allowed, which is not what I would expect. Below is the iRule and any help/advice would be much appreciated. I am running BIGIP LTM 17.5.1.3. Thank you when HTTP_REQUEST { # Case-insensitive match on path for Telerik.Web.UI.WebResource.axd set path_lc [string tolower [HTTP::path]] if { [string match "*telerik.web.ui.webresource.axd" $path_lc] } { # Normalize method set method [string toupper [HTTP::method]] # Decode query string (may be empty) set raw_q [HTTP::query] if { $raw_q eq "" } { set dec_q "" } else { set dec_q [URI::decode $raw_q] } # Decode Cookie header (if present) set raw_cookie "" if { [HTTP::header exists "Cookie"] } { set raw_cookie [HTTP::header value "Cookie"] } set dec_cookie [URI::decode $raw_cookie] # ------------------------- # Rule 1 (ALLOW): Allow RadAsyncUpload/RadCloudUpload POSTs # IIS: UrlDecode(QUERY_STRING) must match ^type=(rau|rcu)$ and method == POST # ------------------------- set allow_post_rau_rcu 0 if { $method eq "POST" } { if { [regexp -nocase {^type=(rau|rcu)$} $dec_q] } { set allow_post_rau_rcu 1 } } if { $allow_post_rau_rcu } { # Stop further processing (equivalent to stopProcessing="true") return } # ------------------------- # Rule 2 (BLOCK): Block all GET requests containing Content-Type header # IIS: method == GET AND HTTP_CONTENT_TYPE matches ".+" # ------------------------- if { $method eq "GET" } { if { [HTTP::header exists "Content-Type"] && [string length [HTTP::header "Content-Type"]] > 0 } { HTTP::respond 403 content {Request blocked 2} event disable return } } # ------------------------- # Rule 3 (BLOCK): Block PRType and encoded attacks; also block non-GET # IIS: MatchAny of: # - UrlDecode(QUERY_STRING) contains "prtype=" # - UrlDecode(HTTP_COOKIE) contains "prtype=" # - REQUEST_METHOD != GET # Note: The allowed POSTs above have already returned. # ------------------------- if { [regexp -nocase {prtype=} $dec_q] || [regexp -nocase {prtype=} $dec_cookie] || $method ne "GET" } { HTTP::respond 403 content {Request blocked 3} event disable return } # If none of the block conditions match, allow the request. } }Resetting to Factory Default
I recently followed the the procedure in K44595522 to wipe of pair of i2800. I started with the standby device which went just as expected. When I ran the same steps on the active device, it scrolled lines across the screen anywhere from 15 to 30 minutes. And when it finally stopped the device was not completely wiped like the standby device. Anyone else have this same experience? Thanks in advance.
sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic
When I enable the sslprovider and start a tcpdump on the server-side in order to decode TLSv1.3 traffic, only the CLIENT_HANDSHAKE_TRAFFIC_SECRET and SERVER_HANDSHAKE_TRAFFIC_SECRET 'keys' are stored in the packet capture file, but the CLIENT_TRAFFIC_SECRET and SERVER_TRAFFIC_SECRET 'keys' are missing. This prevents me to decode the application data in the packet capture: # tmsh modify sys db tcpdump.sslprovider value enable # tcpdump -i <server-side-VLAN> -s0 -f5 ssl:v -vvv -w /var/tmp/output.cap <Generate traffic> # tshark -r /var/tmp/output.cap -Y "f5ethtrailer.tls.keylog" -T fields -e f5ethtrailer.tls.keylog On the client-side, this works as expected. Is this a bug (tested with TMOS 17.5.1)? Am I doing something wrong?Issue with IIS and Client Component Service Load balancing
Hi Team, We have Citrix Client Machine(Total-7) accessing the VIP's 443,5609(same virtual server) configured on LTM and 3 web application server(IIS and Client Component Service running) as backend. With three servers in backend for 443 and 5609, the accessibility of web services never works. with single real server enabled for 443 and 5609, the connectivity works. I have tried sourceip and cookie persistence enabled, still no luck. Can somebody help. Client --> F5 vip (443,5609) --> SNAT Automap --> Pool(443,5609) ---> 3 real server
Forward proxy with SSL passthrough - SWG license required?
Hi, At one site with a single v15 VE I need to proxy outbound traffic, but without SSL inspection. Most docs relating to SSL passthrough assume that targets are internal and pooled but this is not my scenario: internal clients must connect to numerous (but specified) external URLs outside my control, and whose IPs are constantly changing. This similar query states solved via iApp but does not specify which one, or much detail on the final config. Regarding the license aspect, other proxy-related posts refer to the need for SWG license (which I don't have) - would I need this? The documentation for this use-case is unclear; any comments/tips gratefully received! Cheers, autoIdentity-centric F5 ADSP Integration Walkthrough
In this article we explore F5 ADSP from the Identity lense by using BIG-IP APM, BIG-IP SSLO and add BIG-IP AWAF to the service chain. The F5 ADSP addresses four core areas: Deployment at scale, Security against evolving threats, Deliver application reliably, Operate your day to day work efficiently. Each comes with its own challenges, but together they define the foundation for keeping systems fast, stable, and safe. Each architecture deployment example is designed to cover at least two of the four core areas: Deployment, Security, Delivery and XOps.AI Inference for VLLM models with F5 BIG-IP & Red Hat OpenShift
This article shows how to perform Intelligent Load Balancing for AI workloads using the new features of BIG-IP v21 and Red Hat OpenShift. Intelligent Load Balancing is done based on business logic rules without iRule programming and state metrics of the VLLM inference servers gathered from OpenShift´s Prometheus.
SSL cipher
Hi guys TLS is weird. Why is this behavior happening? The server that receives the client hello sends an alert. Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 688 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 684 Version: TLS 1.2 (0x0303) The server only allows TLS 1.0. Our SSL profile is also set to only allow TLS 1.0.
