F5 WAF use case for internal network
Hi I’m using F5 products for couple of years, and always use F5 WAF for external users (Untrust zone) now try to enable it for internal users to protect a web server (confluence (tomcat)). after I enable F5 WAF we have lot performance and functional issue on Confluence, FYI 1: F5 work on learning mode not blocking mode. now one question come to my mind, is it logical to use F5 WAF protection for this web server? FYI 2: this server has no internet connection. Not published on internet. Only internal users in LAN able to access this server. FYI 3: I see lot’s of people have issue with confluence and F5. Any idea? Thanks
ASM security policy with Atlassian Confluence
Has anybody configured an Atlassian Confluence server behind an F5 with ASM security? I find that it's getting LOTS of false positives that I'm hesitant to accept, mostly of the SQL injection variety (i.e. seeing the words "group" and "by" in a posted paragraph and assuming it's a "group by having" attempt). The method Confluence uses to post messages also makes ASM think it's trying to execute commands like at, ll, eval, etc. I can't set this site up for extended learning because the majority of the users will be external and can't be considered "trusted". Any thoughts/recommendations?
Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)
Recently a new critical vulnerability in Atlassian Confluence was discovered. Exploiting the vulnerability may allow attackers to write files into arbitrary locations in the server file system. The vulnerability root cause located in the download all attachments functionality of Confluence, which allows the user to download azip file containingall the files attached to the Confluence document. During the creation of the zip file Confluence creates a temporary directory and copies all the attached files into it, then it creates a zip file from this temporary directory and sends the created zip file in the response. Figure 1: Download all attachments functionality in Confluence Figure 2: Zip file with all the attached files created when download all attachments function is called In order to exploit the vulnerability attacker could tamper with the attachment file name parameter during the attachment upload request by adding directory traversals before the file name. Then when download all attachment function will be triggered Confluence will write the attached files outside of the designated temporary folder, which allows the attacker to write files anywhere in the file system of the server. This could also lead to remote code execution by writing the uploaded file inside a web accessible directory. Figure 3: Tampered attachment upload request Figure 4: Malicious file written into a Confluence web accessible directory Figure 5: JSP code executed when accessing the uploaded file Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing directory traversal attack signatures which can be found in signature sets that include the “Path Traversal” attack type. Figure 6: Exploit blocked with attack signature 200007016 Figure 7: Exploit blocked with attack signature 200000190
