Mitigate Apache strut2 vulnerability, cve-2017-5638
Problem this snippet solves:
F5 has updated the official KB article K43451236 on AskF5 to include an enhanced version of the iRule below that will protect your vulnerable web servers behind the BIG-IP that will mitigate Apache strut2 vulnerability, cve-2017-5638
How to use this snippet:
Add the irule to a virtual server.
Irule below contributed by LinJing.
Code :
# Contributed by LinJing when HTTP_REQUEST { if {([HTTP::header exists "Content-Type"])}{ set ctheader [string tolower [HTTP::header "Content-Type"]] if {($ctheader contains "multipart/form-data") and (($ctheader contains "'") or ($ctheader contains "ognl") or ($ctheader contains "java.lang") or ($ctheader contains "bash") or ($ctheader contains "cmd") or ($ctheader contains "org.apache")) }{ log local0. "Found Struts S2-045 attack! Rejecting a request with Content-type [HTTP::header "Content-Type"] to [HTTP::uri] from [IP::client_addr]" #if you do not want to reset the connection, then comment out the lien below reject } } }
Published Mar 07, 2017
Version 1.0