NimbostratusCritical remote code execution vulnerability found in Oracle WebLogic server.
Can you please suggest how to block /_async/* and /wls-wsat/* at the F5 Load Balancer.
Is it possible do it via irule on LTM or any other way.
Thank you
Three ways to do it...
Using 'contains':
when HTTP_REQUEST {
if {{ [string tolower [HTTP::uri]] contains "_async" } || { [string tolower [HTTPS::uri]] contains "wls-wsat" }} {
drop
}
}
Using 'starts_with'
when HTTP_REQUEST {
if {{ [string tolower [HTTP::uri]] starts_with "/_async" } || { [string tolower [HTTP::uri]] starts_with "/wls-wsat" }} {
drop
}
}
But the best option is to configure a policy in LTM which has exactly the same options I'm using in the previous iRules and is faster.
REF - https://devcentral.f5.com/articles/ltm-policy
KR, Dario.
Cirrusis this a good way to use irules to just block a CVE? cant we use asm to do this?
This irule is creating a problem with the f5 maintenance page irule which we are using.
I have these irules applied, and the moment I add the one with maintenance page, the connection just starts dropping..
=-=-=
### MAINT PAGE IRULE
when HTTP_REQUEST {
if { [active_members XXX_pool] == 0 }
{
HTTP::respond 200 content [ifile get main-image]
}
}
******
when HTTP_REQUEST {
if {[HTTP::has_responded]}{return}
if { [HTTP::path] equals "/" } {
HTTP::respond 302 Location "https://testing.com/testingweb/common/tesnet.jsf" Strict-Transport-Security "max-age=16070400"
return
}
}
******
when HTTP_REQUEST {
set uri [string tolower [HTTP::uri]]
if { ( $uri contains "/wls-wsat/") or ( $uri contains "/_async/") } {
drop
}
}
=-=-=