Blue Flower

使用 F5 iRule 缓解 Apache Log4j2 漏洞 [CVE-2021-44228]

关于 Apache Log4j2 Remote Code Execution vulnerability CVE-2021-44228,刷屏事件,不再赘述。直接上 iRule。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
when HTTP_REQUEST {
    # Version 2.2 - 2021-12-13 19:00 Eastern
    # - Added PUT method payload check
    # Version 2.1 - 2021-12-13 17:00 Eastern
    # - Revision to header & body regexp for new evasions
    # - Made default URI regexp less aggressive to avoid false positives - same as header & body now
    # - Added while loop limit
    # Version 2.0 - 2021-12-11 23:40 Eastern
    # - Handling nested URI encoding
    # - Improved matching
    # Version 1.0 - 2021-12-11 06:10 Eastern
    # - Initial release
    #
    # Very aggressive regexp "\$\{.+" (remove quotes and replace regexps below "\$\{\s*(j|\$?\{.+?\})")   # URI blocking
    # Be sure you're patched for CVE-2021-22991 or remove -normalized
    set tmpUri [HTTP::uri -normalized]
    set uri [URI::decode $tmpUri]
    set loopLimit 5
    set loopCount 1
    while { $uri ne $tmpUri } {
        if {$loopCount >= $loopLimit} {
            log local0. "log4j_rce_detection drop on URI loop limit: $loopCount $uri"
            drop
            event disable all
            return
        } else {
            set tmpUri $uri
            set uri [URI::decode $tmpUri]
            incr loopCount
        }
    }

    if {[string tolower $uri] matches_regex {\$\{\s*(j|\$?\{.+?\})}} {
        log local0. "log4j_rce_detection drop on URI: $uri"
        drop
        event disable all
        return
    }

    # Header blocking (sysin)
    set tmpReq [HTTP::request]
    set req [URI::decode $tmpReq]
    set loopLimit 5
    set loopCount 1
    while { $req ne $tmpReq } {
        if {$loopCount >= $loopLimit} {
            log local0. "log4j_rce_detection drop on header loop limit: $loopCount $req"
            drop
            event disable all
            return
        } else {
            set tmpReq $req
            set req [URI::decode $tmpReq]
            incr loopCount
        }
    }

    if {[string tolower $req] matches_regex {\$\{\s*(j|\$?\{.+?\})}} {
        log local0. "log4j_rce_detection drop on header: $req"
        drop
        event disable all
        return
    }

    # POST & PUT Payload blocking
    # NOTE: This only collects the first 1MB by default - edit 'collectSize' to change
    set collectSize 1048576
    if {([HTTP::method] eq "POST") || ([HTTP::method] eq "PUT")} {
        # Trigger collection for up to 1MB of data (sysin)
        if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $collectSize}{
            set content_length [HTTP::header "Content-Length"]
        } else {
            set content_length $collectSize
        }
        # Check if $content_length is not set to 0
        if { $content_length > 0} {
            HTTP::collect $content_length
        }
    }
}

when HTTP_REQUEST_DATA {
    set tmpPayload [HTTP::payload]
    set payload [URI::decode $tmpPayload]
    set loopLimit 5
    set loopCount 1
    while { $payload ne $tmpPayload } {
        if {$loopCount >= $loopLimit} {
            log local0. "log4j_rce_detection drop on payload loop limit: $loopCount"
            drop
            event disable all
            return
        } else {
            set tmpPayload $payload
            set payload [URI::decode $tmpPayload]
            incr loopCount
        }
    }

    if {[string tolower $payload] matches_regex {\$\{\s*(j|\$?\{.+?\})}} {
        log local0. "log4j_rce_detection drop on payload"
        drop
        event disable all
    }
}

下载仅供下载体验和测试学习,不得商用和正当使用。

下载体验

请输入密码查看内容!

如何获取密码?

 

点击下载