Mitigating Ruby YAML.load Universal RCE Deserialization Gadget with BIG-IP ASM
Recently a new YAML deserialization gadget was published that may lead to arbitrary code execution when deserialized by supplying it to Ruby'sYAML.load function as input. Prior to this new gadget it was known that calling YAML.load on user supplied input is a bad idea, but this was only relevant to applications that are based on the Ruby on Rails web framework. In this case the published gadget is universal, meaning it will only depend on the existence of classes that are shipped with the default installation of Ruby, and thus it will be able to execute code in any Ruby application that deserializes YAML documents using the YAML.load function. Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Ruby code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “Ruby” System. Figure 1: Exploit blocked with attack signature 200004159 Additional Reading https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/
iControl Ruby Library Updated to v11.0.0.1
With BIG-IP version 11 now out in the wild, it is time for another iControl Ruby Library update. This new version includes all the hooks you’ll need to take advantage of v11’s awesome new features. Head on over to the iControl Ruby Library forum and pick it up in the Downloads section. Changelog WSDLs updated for version 111 New examples now packaged with the library Tested for backward compatibility with version 10
DevCentral Top 5 05/06/2011
The 20 Lines or Less, the DC weekly podcast, 99% of the hundreds of blogs Don and Lori seem to put out each week...these are but a few of the things you won't see this week in the DC Top 5. With as good as the content is that's getting left out, you can only imagine how good the stuff that made the cut is. It's been a jam packed few weeks since the last installment. I've survived, somehow, and I'm here to tell the story of what DevCentral's been up to, at least this last week. So check it out, in this week's DevCentral Top 5: iRules Challenge Results: Can Everyone Win? http://bit.ly/maEiPC Every so often the Sales folks invite me over to throw a challenge at the new FSEs that are moving through the initiation/training program, getting their feet wet. This challenge is intended to stretch them a bit and get them thinking about iRules as well as DevCentral and the other resources they'll need to survive when asked to start writing these things in the wild. This time through I pushed a bit harder and created a challenge that would lead, ideally, to the investigation and use of the table command(s), and the beauty therein. I'm impressed at the results I got and I'm quite happy to announce the winner of said Challenge as well as the very honorable mentions. Ruby and iControl: Remote BIG-IP Software Image Installation http://bit.ly/kFNpXo George is up to his wily ways again, what with the Ruby-iControl coding and all. This time he's churned out a tool that looks like it could be extremely handy. This snippet will not only upload but actually install a new image to your F5 device. This is a dream come true for those of you that have been managing such things manually. Even to those that might not use it directly, it's a great peek at some of the things that iControl can do and the lengths to which you can automate things. This one's worth a read for sure. If a Network Can't Go Virtual Then Virtual Must Come to the Network http://bit.ly/mT6jH6 In her typical fashion, Lori got me thinking (and a bit fired up) with her post regarding virtualization and multi-tenancy. She accurately points out some pros and cons, as well as where we've been and where we very well might be going when it comes to scaling application solutions and the networks that support them. Regardless of whether you're looking for ultimate performance scaling or silos of resources with no outage overlap, this one is a very good read. Everyone's situation is obviously different but if you're not thinking about this yet, you should be. Sooner rather than later these issues will be facing you, it's good to be prepared. SSL Renegotiation DOS attack - An iRule Countermeasure http://bit.ly/j0Y0Wy David Holmes, our resident security guru, is back and posting about a possible attack vector that could affect nearly the entire web. Sound scary? Well, when you're talking about a vulnerability in a broadly accepted protocol, it's bad enough. When it's a protocol normally associated with the most secure of applications and data, like SSL, then it gets even more worrisome. In this attack, would be miscreants attempt to hang an SSL enabled server by performing a series of renegotiations, thereby overloading the system. In steps iRules to save the day, as seems to often be the case. With a relatively simple iRule, Jason was able to whip up a solution to this problem by limiting the number of renegotiations allowed on a given connection in a certain time frame. With only a scant amount of development time, this very real threat was able to be completely negated. Take a read to get all the details for yourself. Post of the Week - SMTP TLS Encryption http://bit.ly/lZxnhw Last on the list this time around is the Post of the Week. Since being revived this popular series is again picking up a following of those interested in either seeing Joe and I goofing off in front of the camera, or some wicked cool solutions offered up in the forums thanks to the awesome community...or maybe both. This week we dig into SMTP TLS Encryption via iRules. Long ago Nat wrote an iRule that did just this but along came a user who wanted more, and more they got. Digging back into the problem a discussion broke out and when the dust settled the solution was even more impressive than it was in its previous form, as formidable as that was. Take a look for yourselves if you want the nitty gritty, and be sure to click through to the post for the real goods straight from the source. That's it for this week's Top5, thanks much for reading. #ColinDevCentral Top5 03/04/2011
While the groundhog may have promised an early spring, we’re still feeling the chill here in Seattle. Naturally though that hasn’t impeded the content marching its way across DevCentral in the past weeks. We’ve had everything from awesome blogs and Tech Tips to user contributed content to the triumphant (hopefully) return of a long lost series now born anew. This is your place to find out about all of that and more, as always, as I offer you this week’s DC Top5: Post of the Week - Regular Expressions http://bit.ly/e1m4Ri The aforementioned series being reborn in what is hopefully a triumph is none other than the PotW! This is a series that Deb and I pioneered sometime back in yesteryear to much success. It was shockingly popular and since it’s gone by the wayside people tend to ask for it more than almost any other piece of content I’ve had the pleasure of having my hand in, other than the Top5. After some copious prodding on Joe’s part we’re finally getting this series fired back up. The idea is, every week we grab a particularly interesting forum post and chat about it like geeks tend to do. We analyze, discuss, debate, dissect, divulge and likely may other fun “D” words left as yet unseen. This series is, according to a recent twitter post, “..relaxed, informative, great way to learn; I fear I'm turning into a f5 Fanboy!”. Can’t beat that endorsement folks...go take a look and watch for more every week. Dynamic Intelligent Application Delivery in a Distributed Environment – Part 2 http://bit.ly/hsL0z9 In a follow-up to his awesome first installment, DevCentral user and MVP Hamish kicks out another jam with this post. If you haven’t yet read the first installment you really should as this one dives in firmly in the deep end so you may get lost otherwise, but it’s worth the read. The stated intention of the posts is to add intelligence to dynamic load balancing, basically. This is a very good thing for many reasons (several of which are outlined in the post, hint hint), and as such this post outlining how to do this becomes a very good thing by extension. If that’s not cool enough it’s another awesome example of what makes DevCentral great – the members. Check it out folks. Ruby and iControl: Distilling SSL Certificate Information from SOAP::Mapping::Objects http://bit.ly/icBleV George is back to his Ruby ways, iControlling it up, and this week has chosen to delve into SSL certs and what info you can glean from them. In the arena of cert management I’m sure there are plenty of people who will agree with me about the headaches that can ensue after too many hours of scouring multiple systems and/or certs to decipher what’s expiring when, what different crypto strengths are, what’s acceptable, what isn’t, etc. If only there were some cool, easy to use, free tool that would do all of that for you. Queue the music, folks, that tool is here. George has thrown together an awesome Ruby app that will scour your BIG-IP and put together a very readable list of certs along with the pertinent information you need to know about each one. Come on, it’s even color coded...it just doesn’t get much easier than that. Take a look, this one’s a winner. 2x5-Minute iRules – Timing http://bit.ly/hq7X47 Timing is everything, or so they say, which means this should be one bang-up article. Luckily it is! Jason has churned out what’s sure to be another hit with this post wherein he looks in-depth at the timing commands in iRules and what makes them ... wait for it ... tick. *rimshot* Seriously though, he has some awesome info on how these commands work, how to use them, what the results mean, etc. But wait, there’s more! As if that weren’t enough he’s gone the extra mile to whip up a python script that will not only slam some traffic against your BIG-IP but also grab the stats and crunch them into some useful info via iControl trickery. This one’s a goody. How to Build a Silo Faster: Not Enough Ops in your Devops http://bit.ly/eFQ7Gx Thought provoking as always, Lori got me nodding my head as well as stopping to think in her recent post about data center automation. She talks about application deployment automation and that, while a good thing, it can’t be accomplished to the fullest extent while focusing solely on the app itself. The surrounding, supporting pieces of the deployment infrastructure are just as important to every application being delivered and while some people realize there are gains to be had while thinking of the entire stack when looking to automate/streamline, there is still plenty of ground to be made up for others. Yes, automating the deployment of your firewalls, ADCs, logging systems, network configs, auth services etc. is just as important when holistically looking at automated app deployment as automating the app itself. Look at the entire app infrastructure, not the singular piece of software. There they are, five more picks from the many options on DevCentral this week. Be sure to browse around yourself for more hidden goodness as it’s there aplenty in every nook and cranny. Go digging and you’ll be shocked at what you find. See you next week with five more. #ColinDevCentral Top5 1/14/2011
We made it! We’ve survived another year and as such are one step closer to the future we’ve been promised for so long, complete with jetpacks, teleporters and press-button meal preparation. That’s my hope, at least. While we’re all just sitting around, waiting for such amenities to arrive, I bring to you some reading to entertain and educate. This week we have an overabundance of options to pick from so I apologize in advance for any wicked cool content that gets left out. What did make it in, though, are a couple of the coolest iRules I’ve seen written in quite a long time, a rockin’ blog posts, a sweet product announcement and an all new addition to the iControl libraries on DC. So have at ‘em, here’s the Top5: Fun with Hash Performance and Google Charts http://bit.ly/evqw5M In a very cool look at hashing algorithms, Jason whipped up a killer tech tip that you don’t want to miss. In this article he goes through six different options for load balancing via hash and measures the performance hit of each one. It’s a great look into what you can expect if you’re delving into this more advanced form of traffic management, and it also sets up some pretty darn cool iRules logic, which Joe will commandeer and make use of, as you’ll see later. This is another example of how cool iRules can be as more than just a load balancing decision maker. Graphing the performance of these algorithms via Google charts makes it visually pleasing and easy to see the differences you’re getting. I hear rumor he’s continuing with another article in this vein that I’m very excited for. Wicked cool science indeed. Comparing iRule Control Statements http://bit.ly/eRJjIx So if Jason’s iRule-fu in the above article was a 9, Joe just had to go and turn it up to 11. Heck, he may have even turned it up to 12. This is one of the coolest iRules I’ve seen in quite a while. Why, you ask? Well because it’s an iRule that writes an iRule, executes the self generated iRule, and then graphs the performance results of said self generated iRule. I’ll pause for a moment so you can re-read that and let it sink in. With me? Okay, so here’s where this thing came from and what it does. Joe and I long ago, in a land not so far away, put together a handy dandy guide to optimizing iRules. In said guide we discussed different control structures (If, switch, matchclass, etc.) and gave some guidance on which to use when to achieve the best performance. Joe wanted to test this in real time with varying sizes of match statements, varying match depths, etc. So, naturally, he built an iRule. Somewhere along the way though he realized that hand coding 10,000 if/else statements was going to be…less than fun. As such he decided to use the sweet little expr hack we’ve played with from time to time. The result is a flexible iRule that takes arguments and, based on those, puts out a very cool set of graphs that shows just how each different control structure will perform in different situations (number of iterations, match depth, etc.). Super valuable, super cool, and some pretty darn impressive iRules-fu. Getting Started with Ruby and iControl http://bit.ly/i0PLh9 Continuing on the “raising the bar” theme we seem to have going so far this week, George was no slouch. For a few weeks now if you wandered by George’s desk you probably saw him chained to it, scouring Ruby books and websites, imbibing physically dangerous amounts of caffeine and poking Joe every couple of hours to ask another question about the deepest, darkest inner workings of iControl. This is because he’s been building his very own iControl library for Ruby. If you’re a Ruby fan, an iControl fan, or just a fan of geeks doing cool stuff, this is one to check out for sure. In the article George walks through how to install the necessary bits to get started, offers up some example code, and generally hands you the keys to get where you’re trying to go. Check it out and keep an eye out for future versions. VE as in Very Exciting. ARX VE Trial http://bit.ly/ewbCqR Don has been writing plenty of good content lately, but the one post that really caught my eye this week was his post about the release of the ARX VE, which is too cool to pass up sharing. VE, for those not in the know, stands for “Virtual Edition”. It’s our term for the virtualized version of our products that can run on VMWare. These sweet little pieces of techno-goodness allow you to try out, dev against, or in some cases even deploy F5 technology on standard server hardware running VMWare. The news in this post, though, is specifically about ARX. ARX, our file virtualization product, has been as of yet unavailable in virtualized form. That has all changed, though, and you can now get your hands on the trial of the ARX VE for free. So go grab it, install it, and start playing with what file virtualization can do for you. Great write-up by Don, great announcement of wicked technology. It’s a double-win. DevCentral Weekly Podcast 160 – A Poet In Our Midst http://bit.ly/ggNleJ While this week’s podcast may be titled to reflect Jason’s poetry, the real meat that I wanted to share has to do with something else. No offense to Jason’s well crafted words, but F5’s Chris Webber stole the show, at least for me. Chris joined the team to talk to us about the release of the BIG-IP Edge Client and BIG-IP Edge Portal iOS applications that are now available for free download in the Apple Store. What this means is that anyone that connects remotely through an F5 Edge Gateway is now able to seamlessly connect via their iPhone, iPad, or iPod touch to get access to internal emails, documents and resources. It’s a pretty slick little app that’s easy to use, free to download, and can make life a lot nicer if you’re trying to be productive while remote and using an iOS device to do it. Best of all, there is zero configuration required on the admin end…it just works. How sweet is that?! Give it a listen and click through the links to learn more. That’s all for this week. Now that the (insane) holidays are over I should be back next week with more for you to chew on in case you’re having trouble keeping up with what’s going on out there on DevCentral. #Colin
How AJAX can make a more agile enterprise
In general, we talk a lot about the benefits of SOA in terms of agility, aligning IT with the business, and risk mitigation. Then we talk about WOA (web oriented architecture) separately from SOA (service oriented architecture) but go on to discuss how the two architectures can be blended to create a giant application architecture milkshake that not only tastes good, but looks good. AJAX (Asynchronous JavaScript and XML) gets lumped under the umbrella of "Web 2.0" technologies. It's neither WOA nor SOA, being capable of participating in both architectural models easily. Some might argue that AJAX, being bound to the browser and therefore the web, is WOA. But WOA and SOA are both architectural models, and AJAX can participate in both - it is neither one or the other. It's seen as a tool; a means to an end, rather than as an enabling facet of either architectural model. It's seen as a mechanism for building interactive and more responsive user interfaces, as a cool tool to implement interesting tricks in the browser, and as yet another cross-browser incompatible scripting technology that makes developer's lives miserable. But AJAX, when used to build enterprise applications, can actually enable and encourage a more agile application environment. When AJAX is applied to user-interface elements to manipulate corporate data the applications or scripts on the server-side that interact with the GUI are often distilled into discrete blocks of functionality that can be reused in other applications and scripts in which that particular functionality is required. And thus services are born. Services that are themselves agile and thus enable broader agility within the application architecture. They aren't SOA services, at least that's what purists would say, but they are services, empowered with the same characteristics of their SOA-based cousins: reusable and granular. The problem is that AJAX is still seen as an allen wrench in an architecture that requires screwdrivers. It's often viewed only in terms of building a user interface, and the services it creates or takes advantage of on the back-end as being unequal to those specifically architected for inclusion in the enterprise SOA. Because AJAX drives the development of discrete services on the server-side, it can be a valued assistant in decomposing applications into its composite services. It can force you to think about the services and the operations required because AJAX necessarily interacts with granular functions of a service in a singular fashion. If we force AJAX development to focus on the user-interface, we lose some of the benefits we can derive from the design and development process by ignoring how well AJAX fits into the service-oriented paradigm. We lose the time and effort that goes into defining the discrete services that will be used by an AJAX-enabled component in the user-interface, and the possibility of reusing those services in the broader SOA. An SOA necessarily compels us to ignore platform and language and concentrate on the service. Services deployed on a web server utilizing PHP or ASP or Ruby as their implementation language are no different than those deployed on heavy application servers using JSP or Java or .NET. They can and should be included in the architectural design process to ensure they can be reused when possible. AJAX forces you to think in a service-oriented way. The services required by an AJAX-enabled user-interface should be consistent with the enterprise's architectural model and incorporated into that architecture whenever possible in order to derive agility and reuse from those services. AJAX is inherently an agile technology. Recognizing that early and incorporating the services required by AJAX-enabled components can help build a more agile, more consistent, more SOA-like application infrastructure.
