使用 F5 iRule 缓解 Apache Log4j2 漏洞 [CVE-2021-44228]

更新日期：Tue Dec 14 2021 14:39:46 GMT+0800，阅读量:

请访问原文链接：使用 F5 iRule 缓解 Apache Log4j2 漏洞 [CVE-2021-44228] 查看最新版。原创作品，转载请保留出处。

作者主页：sysin.org

关于 Apache Log4j2 Remote Code Execution vulnerability CVE-2021-44228，刷屏事件，不再赘述。直接上 iRule。

when HTTP_REQUEST {
    # Version 2.2 - 2021-12-13 19:00 Eastern
    # - Added PUT method payload check
    # Version 2.1 - 2021-12-13 17:00 Eastern
    # - Revision to header & body regexp for new evasions
    # - Made default URI regexp less aggressive to avoid false positives - same as header & body now
    # - Added while loop limit
    # Version 2.0 - 2021-12-11 23:40 Eastern
    # - Handling nested URI encoding
    # - Improved matching
    # Version 1.0 - 2021-12-11 06:10 Eastern
    # - Initial release
    #
    # Very aggressive regexp "\$\{.+" (remove quotes and replace regexps below "\$\{\s*(j|\$?\{.+?\})")   # URI blocking
    # Be sure you're patched for CVE-2021-22991 or remove -normalized
    set tmpUri [HTTP::uri -normalized]
    set uri [URI::decode $tmpUri]
    set loopLimit 5
    set loopCount 1
    while { $uri ne $tmpUri } {
        if {$loopCount >= $loopLimit} {
            log local0. "log4j_rce_detection drop on URI loop limit: $loopCount $uri"
            drop
            event disable all
            return
        } else {
            set tmpUri $uri
            set uri [URI::decode $tmpUri]
            incr loopCount
        }
    }

    if {[string tolower $uri] matches_regex {\$\{\s*(j|\$?\{.+?\})}} {
        log local0. "log4j_rce_detection drop on URI: $uri"
        drop
        event disable all
        return
    }

    # Header blocking (sysin)
    set tmpReq [HTTP::request]
    set req [URI::decode $tmpReq]
    set loopLimit 5
    set loopCount 1
    while { $req ne $tmpReq } {
        if {$loopCount >= $loopLimit} {
            log local0. "log4j_rce_detection drop on header loop limit: $loopCount $req"
            drop
            event disable all
            return
        } else {
            set tmpReq $req
            set req [URI::decode $tmpReq]
            incr loopCount
        }
    }

    if {[string tolower $req] matches_regex {\$\{\s*(j|\$?\{.+?\})}} {
        log local0. "log4j_rce_detection drop on header: $req"
        drop
        event disable all
        return
    }

    # POST & PUT Payload blocking
    # NOTE: This only collects the first 1MB by default - edit 'collectSize' to change
    set collectSize 1048576
    if {([HTTP::method] eq "POST") || ([HTTP::method] eq "PUT")} {
        # Trigger collection for up to 1MB of data (sysin)
        if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $collectSize}{
            set content_length [HTTP::header "Content-Length"]
        } else {
            set content_length $collectSize
        }
        # Check if $content_length is not set to 0
        if { $content_length > 0} {
            HTTP::collect $content_length
        }
    }
}

when HTTP_REQUEST_DATA {
    set tmpPayload [HTTP::payload]
    set payload [URI::decode $tmpPayload]
    set loopLimit 5
    set loopCount 1
    while { $payload ne $tmpPayload } {
        if {$loopCount >= $loopLimit} {
            log local0. "log4j_rce_detection drop on payload loop limit: $loopCount"
            drop
            event disable all
            return
        } else {
            set tmpPayload $payload
            set payload [URI::decode $tmpPayload]
            incr loopCount
        }
    }

    if {[string tolower $payload] matches_regex {\$\{\s*(j|\$?\{.+?\})}} {
        log local0. "log4j_rce_detection drop on payload"
        drop
        event disable all
    }
}

捐助本站 ❤️ Donate

文章用于推荐和分享优秀的软件产品及其相关技术，所有软件默认提供官方原版（免费版或试用版），免费分享。对于部分产品笔者加入了自己的理解和分析，方便学习和研究使用。任何内容若侵犯了您的版权，请联系作者删除。如果您喜欢这篇文章或者觉得它对您有所帮助，或者发现有不当之处，欢迎您发表评论，也欢迎您分享这个网站，或者赞赏一下作者，谢谢！

支付宝赞赏

微信赞赏

赞赏一下

☑️ 评论恢复，欢迎留言❗️
敬请注册！点击 “登录” - “用户注册”（已知不支持 21.cn/189.cn 邮箱）。请勿使用联合登录（已关闭）。

特色标签

网站链接