使用 F5 iRule 缓解 Apache Log4j2 漏洞 [CVE-2021-44228]

Posted by sysin on 2021-12-14
Estimated Reading Time 3 Minutes
Words 575 In Total
更新日期:Tue Dec 14 2021 14:39:46 GMT+0800,阅读量:

请访问原文链接:使用 F5 iRule 缓解 Apache Log4j2 漏洞 [CVE-2021-44228],查看最新版。原创作品,转载请保留出处。

作者主页:sysin.org


无耻抄袭者 Yu Tao,请立遁!!!

关于 Apache Log4j2 Remote Code Execution vulnerability CVE-2021-44228,刷屏事件,不再赘述。直接上 iRule。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
when HTTP_REQUEST {
# Version 2.2 - 2021-12-13 19:00 Eastern
# - Added PUT method payload check
# Version 2.1 - 2021-12-13 17:00 Eastern
# - Revision to header & body regexp for new evasions
# - Made default URI regexp less aggressive to avoid false positives - same as header & body now
# - Added while loop limit
# Version 2.0 - 2021-12-11 23:40 Eastern
# - Handling nested URI encoding
# - Improved matching
# Version 1.0 - 2021-12-11 06:10 Eastern
# - Initial release
#
# Very aggressive regexp "\$\{.+" (remove quotes and replace regexps below "\$\{\s*(j|\$?\{.+?\})") # URI blocking
# Be sure you're patched for CVE-2021-22991 or remove -normalized
set tmpUri [HTTP::uri -normalized]
set uri [URI::decode $tmpUri]
set loopLimit 5
set loopCount 1
while { $uri ne $tmpUri } {
if {$loopCount >= $loopLimit} {
log local0. "log4j_rce_detection drop on URI loop limit: $loopCount $uri"
drop
event disable all
return
} else {
set tmpUri $uri
set uri [URI::decode $tmpUri]
incr loopCount
}
}

if {[string tolower $uri] matches_regex {\$\{\s*(j|\$?\{.+?\})}} {
log local0. "log4j_rce_detection drop on URI: $uri"
drop
event disable all
return
}

# Header blocking (sysin)
set tmpReq [HTTP::request]
set req [URI::decode $tmpReq]
set loopLimit 5
set loopCount 1
while { $req ne $tmpReq } {
if {$loopCount >= $loopLimit} {
log local0. "log4j_rce_detection drop on header loop limit: $loopCount $req"
drop
event disable all
return
} else {
set tmpReq $req
set req [URI::decode $tmpReq]
incr loopCount
}
}

if {[string tolower $req] matches_regex {\$\{\s*(j|\$?\{.+?\})}} {
log local0. "log4j_rce_detection drop on header: $req"
drop
event disable all
return
}

# POST & PUT Payload blocking
# NOTE: This only collects the first 1MB by default - edit 'collectSize' to change
set collectSize 1048576
if {([HTTP::method] eq "POST") || ([HTTP::method] eq "PUT")} {
# Trigger collection for up to 1MB of data (sysin)
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $collectSize}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length $collectSize
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}

when HTTP_REQUEST_DATA {
set tmpPayload [HTTP::payload]
set payload [URI::decode $tmpPayload]
set loopLimit 5
set loopCount 1
while { $payload ne $tmpPayload } {
if {$loopCount >= $loopLimit} {
log local0. "log4j_rce_detection drop on payload loop limit: $loopCount"
drop
event disable all
return
} else {
set tmpPayload $payload
set payload [URI::decode $tmpPayload]
incr loopCount
}
}

if {[string tolower $payload] matches_regex {\$\{\s*(j|\$?\{.+?\})}} {
log local0. "log4j_rce_detection drop on payload"
drop
event disable all
}
}

捐助本站 ❤️ Donate

点击访问官方网站


文章用于推荐和分享优秀的软件产品及其相关技术,所有软件默认提供官方原版(免费版或试用版),免费分享。对于部分产品笔者加入了自己的理解和分析,方便学习和测试使用。任何内容若侵犯了您的版权,请联系作者删除。如果您喜欢这篇文章或者觉得它对您有所帮助,或者发现有不当之处,欢迎您发表评论,也欢迎您分享这个网站,或者赞赏一下作者,谢谢!

支付宝赞赏 微信赞赏

赞赏一下


☑️ 评论恢复,欢迎留言❗️
敬请注册!点击 “登录” - “用户注册”(已知不支持 21.cn/189.cn 邮箱)。请勿使用联合登录(已关闭)