Question/Advice on iRule Remediating the Telerik (Unsafe Reflection Vulnerability (CVE-2025-3600)
Hi, I have the below iRule that is supposed to remediate the Telerik UI library vulnerability mentioned in the title above. The iRule is built based on their IIS URL Rewrite recommendation. I understand its logic in general but I am not a developer and I am not sure that what I am seeing is OK or not. If I test the iRule with a malicious request using Postman or curl, it works as expected, the request is blocked every time. If I test using a browser, any browser, the first request is blocked and the next one is allowed, which is not what I would expect. Below is the iRule and any help/advice would be much appreciated. I am running BIGIP LTM 17.5.1.3. Thank you when HTTP_REQUEST { # Case-insensitive match on path for Telerik.Web.UI.WebResource.axd set path_lc [string tolower [HTTP::path]] if { [string match "*telerik.web.ui.webresource.axd" $path_lc] } { # Normalize method set method [string toupper [HTTP::method]] # Decode query string (may be empty) set raw_q [HTTP::query] if { $raw_q eq "" } { set dec_q "" } else { set dec_q [URI::decode $raw_q] } # Decode Cookie header (if present) set raw_cookie "" if { [HTTP::header exists "Cookie"] } { set raw_cookie [HTTP::header value "Cookie"] } set dec_cookie [URI::decode $raw_cookie] # ------------------------- # Rule 1 (ALLOW): Allow RadAsyncUpload/RadCloudUpload POSTs # IIS: UrlDecode(QUERY_STRING) must match ^type=(rau|rcu)$ and method == POST # ------------------------- set allow_post_rau_rcu 0 if { $method eq "POST" } { if { [regexp -nocase {^type=(rau|rcu)$} $dec_q] } { set allow_post_rau_rcu 1 } } if { $allow_post_rau_rcu } { # Stop further processing (equivalent to stopProcessing="true") return } # ------------------------- # Rule 2 (BLOCK): Block all GET requests containing Content-Type header # IIS: method == GET AND HTTP_CONTENT_TYPE matches ".+" # ------------------------- if { $method eq "GET" } { if { [HTTP::header exists "Content-Type"] && [string length [HTTP::header "Content-Type"]] > 0 } { HTTP::respond 403 content {Request blocked 2} event disable return } } # ------------------------- # Rule 3 (BLOCK): Block PRType and encoded attacks; also block non-GET # IIS: MatchAny of: # - UrlDecode(QUERY_STRING) contains "prtype=" # - UrlDecode(HTTP_COOKIE) contains "prtype=" # - REQUEST_METHOD != GET # Note: The allowed POSTs above have already returned. # ------------------------- if { [regexp -nocase {prtype=} $dec_q] || [regexp -nocase {prtype=} $dec_cookie] || $method ne "GET" } { HTTP::respond 403 content {Request blocked 3} event disable return } # If none of the block conditions match, allow the request. } }Resetting to Factory Default
I recently followed the the procedure in K44595522 to wipe of pair of i2800. I started with the standby device which went just as expected. When I ran the same steps on the active device, it scrolled lines across the screen anywhere from 15 to 30 minutes. And when it finally stopped the device was not completely wiped like the standby device. Anyone else have this same experience? Thanks in advance.
sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic
When I enable the sslprovider and start a tcpdump on the server-side in order to decode TLSv1.3 traffic, only the CLIENT_HANDSHAKE_TRAFFIC_SECRET and SERVER_HANDSHAKE_TRAFFIC_SECRET 'keys' are stored in the packet capture file, but the CLIENT_TRAFFIC_SECRET and SERVER_TRAFFIC_SECRET 'keys' are missing. This prevents me to decode the application data in the packet capture: # tmsh modify sys db tcpdump.sslprovider value enable # tcpdump -i <server-side-VLAN> -s0 -f5 ssl:v -vvv -w /var/tmp/output.cap <Generate traffic> # tshark -r /var/tmp/output.cap -Y "f5ethtrailer.tls.keylog" -T fields -e f5ethtrailer.tls.keylog On the client-side, this works as expected. Is this a bug (tested with TMOS 17.5.1)? Am I doing something wrong?Issue with IIS and Client Component Service Load balancing
Hi Team, We have Citrix Client Machine(Total-7) accessing the VIP's 443,5609(same virtual server) configured on LTM and 3 web application server(IIS and Client Component Service running) as backend. With three servers in backend for 443 and 5609, the accessibility of web services never works. with single real server enabled for 443 and 5609, the connectivity works. I have tried sourceip and cookie persistence enabled, still no luck. Can somebody help. Client --> F5 vip (443,5609) --> SNAT Automap --> Pool(443,5609) ---> 3 real server
Forward proxy with SSL passthrough - SWG license required?
Hi, At one site with a single v15 VE I need to proxy outbound traffic, but without SSL inspection. Most docs relating to SSL passthrough assume that targets are internal and pooled but this is not my scenario: internal clients must connect to numerous (but specified) external URLs outside my control, and whose IPs are constantly changing. This similar query states solved via iApp but does not specify which one, or much detail on the final config. Regarding the license aspect, other proxy-related posts refer to the need for SWG license (which I don't have) - would I need this? The documentation for this use-case is unclear; any comments/tips gratefully received! Cheers, auto
SSL cipher
Hi guys TLS is weird. Why is this behavior happening? The server that receives the client hello sends an alert. Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 688 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 684 Version: TLS 1.2 (0x0303) The server only allows TLS 1.0. Our SSL profile is also set to only allow TLS 1.0.
iApps with load ucs Platform-migrate on newer hardware
I see that iApps are deprecated and the latest recommendation is using FAST 1. When we load UCS file from iSeries to RSeries using platform migrate. How are iApps copied? or Are they not copied and we are supposed to do it manually by using either enabling deprecated iApps or FAST? 2. Is it a good practice to load the config after the new pair of F5s are in HA with no VIPs but just self IPs and VLANS
getting compiling error when enabling Nginx App_potect
i m trying to install NGinx plus with App_ptotect but when trying to enable app_protect module after installing it i get the following error nginx: [emerg] APP_PROTECT config_set_id 1752649466-871-149162 not found within 45 seconds nginx: [emerg] APP_PROTECT fstat() "/opt/app_protect/config/compile_error_msg.json" failed (2: No such file or directory) and i can not start the nginx service, any idea about the issue?
