Mitigate Apache strut2 vulnerability, cve-2017-5638

Problem this snippet solves:

F5 has updated the official KB article K43451236 on AskF5 to include an enhanced version of the iRule below that will protect your vulnerable web servers behind the BIG-IP that will mitigate Apache strut2 vulnerability, cve-2017-5638

How to use this snippet:

Add the irule to a virtual server.

Irule below contributed by LinJing.

Code :

# Contributed by LinJing
when HTTP_REQUEST {
if {([HTTP::header exists "Content-Type"])}{
    set ctheader [string tolower [HTTP::header "Content-Type"]]
    if {($ctheader contains "multipart/form-data") and (($ctheader contains "'") or ($ctheader contains "ognl") or ($ctheader contains "java.lang") or ($ctheader contains "bash") or ($ctheader contains "cmd") or ($ctheader contains "org.apache")) }{
          log local0. "Found Struts S2-045 attack! Rejecting a request with Content-type [HTTP::header "Content-Type"] to  [HTTP::uri]  from  [IP::client_addr]"
          #if you do not want to reset the connection, then comment out the lien below
          reject
        }
    }
}
Published Mar 07, 2017
Version 1.0

Was this article helpful?

12 Comments