F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)安全风险通告

mv <path to script>/mitigation.txt <path to script>/mitigation.sh

chmod +x <path to script>/mitigation.sh && touch <path to script>/mitigation.sh

<path to script>/mitigation.sh

#!/bin/sh## Copyright © 2023, F5 Networks, Inc. All rights reserved.## No part of this software may be reproduced or transmitted in any# form or by any means, electronic or mechanical, for any purpose,# without express written permission of F5 Networks, Inc.#proxy_ajp_conf="/config/httpd/conf.d/proxy_ajp.conf"tomcat_conf="/etc/tomcat/server.xml"# Backup original configuration filesif [ ! -f "${proxy_ajp_conf}.f5orig" ]; then    cp "${proxy_ajp_conf}" "${proxy_ajp_conf}.f5orig"fiif [ ! -f "${tomcat_conf}.f5orig" ]; then    cp "${tomcat_conf}" "${tomcat_conf}.f5orig"fiusage(){    echo "Usage: $0 [-h]|[-u][-r]"    echo "This utility mitigates ID1378329 and restarts the apache and tomcat daemons."    echo "     : -h    Display this help message"    echo "     : -u    Undo the ID1378329 mitigation"    exit 255}PARSED_ARGS=$(getopt -a -n "$0" -o hru --long help,restart,undo -- "$@")VALID_ARGS=$?if [ "$VALID_ARGS" != "0" ]; then  usagefiUNDO="false"eval set -- "$PARSED_ARGS"while :do  case "$1" in    -h | --help)                   usage           ; shift   ;;    -u | --undo)                   UNDO="true"     ; shift   ;;    --)                            shift; break ;;    *)                             echo "Unexpected option: $1 - this should not happen."; usage ;;  esacdoneif $UNDO; then    echo "Undoing ID1378329 mitigation..."    # Be very careful when editing this section.    #    # We use double quotes here to allow variable substitution to add the random    # secret, which means we have to quote shell metacharacters that we don't want    # changed.    #    # We remove any existing secret directive, then add the new one.  This    # version of sed doesn't support the '+' regex match modifier, thus the    # repeated match strings and use of '*'.    #    PAJPSED="    /proxypassmatch/I {    s/\s\s*secret=[0-9a-f]*\s\s*/ /I;    s/\s\s*secret=[0-9a-f]*$//I;    }    "    sed -ci.bak "${PAJPSED}" "${proxy_ajp_conf}"    # Be very careful when editing this section.    #    #    # Here we either replace or add the requiredSecret option, we also use pipe    # symbols instead of forward slashes to delimit the regular expressions, since    # it includes forward slashes.  This version of sed doesn't support the '+'    # regex match modifier, thus the repeated match strings and use of '*'.    #    TOMCATSED="    /tomcatauthentication=/I {    s|\s\s*requiredSecret="[0-9a-f]*"||;    }    "    sed -ci.bak "${TOMCATSED}" "${tomcat_conf}"else    echo "Applying ID1378329 mitigation..."    random_secret=$(head -c 20 /dev/random | xxd -p -c 20)    # Creating random nonce    # Be very careful when editing this section.    #    # We use double quotes here to allow variable substitution to add the random    # secret, which means we have to quote shell metacharacters that we don't want    # changed.    #    # First we remove any existing secret directive, then add the new one.  This    # version of sed doesn't support the '+' regex match modifier, thus the    # repeated match strings and use of '*'.    #    PAJPSED="    /proxypassmatch/I {    s/\s\s*secret=[0-9a-f][0-9a-f]*\s\s*/ /I;    s/\s\s*secret=[0-9a-f][0-9a-f]*$//I;    s/$/ secret=${random_secret}/;    }    "    sed -ci.bak "${PAJPSED}" "${proxy_ajp_conf}"    # Be very careful when editing this section.    #    #    # Here we either replace or add the requiredSecret option, we also use pipe    # symbols instead of forward slashes to delimit the regular expressions, since    # it includes forward slashes.  This version of sed doesn't support the '+'    # regex match modifier, thus the repeated match strings and use of '*'.    #    TOMCATSED="    /tomcatauthentication=/I {    s|\s\s*requiredSecret="[0-9a-f][0-9a-f]*"| requiredSecret="${random_secret}"|;    s|"false"\s\s*/>|"false" requiredSecret="${random_secret}" />|;    }    "    sed -ci.bak "${TOMCATSED}" "${tomcat_conf}"fiecho "Restarting httpd..."bigstart restart httpdecho "Restarting tomcat..."bigstart restart tomcatecho "Done!"