#!/bin/sh # # Copyright © 2023, F5 Networks, Inc. All rights reserved. # Version 1.0 # No part of this software may be reproduced or transmitted in any # form or by any means, electronic or mechanical, for any purpose, # without express written permission of F5 Networks, Inc. # proxy_ajp_conf="/config/httpd/conf.d/proxy_ajp.conf" tomcat_conf="/etc/tomcat/server.xml" # Backup original configuration files if [ ! -f "${proxy_ajp_conf}.f5orig" ]; then cp "${proxy_ajp_conf}" "${proxy_ajp_conf}.f5orig" fi if [ ! -f "${tomcat_conf}.f5orig" ]; then cp "${tomcat_conf}" "${tomcat_conf}.f5orig" fi usage() { echo "Usage: $0 [-h]|[-u][-r]" echo "This utility mitigates ID1378329 and restarts the apache and tomcat daemons." echo " : -h Display this help message" echo " : -u Undo the ID1378329 mitigation" exit 255 } PARSED_ARGS=$(getopt -a -n "$0" -o hru --long help,restart,undo -- "$@") VALID_ARGS=$? if [ "$VALID_ARGS" != "0" ]; then usage fi UNDO="false" eval set -- "$PARSED_ARGS" while : do case "$1" in -h | --help) usage ; shift ;; -u | --undo) UNDO="true" ; shift ;; --) shift; break ;; *) echo "Unexpected option: $1 - this should not happen."; usage ;; esac done if $UNDO; then echo "Undoing ID1378329 mitigation..." # Be very careful when editing this section. # # We use double quotes here to allow variable substitution to add the random # secret, which means we have to quote shell metacharacters that we don't want # changed. # # We remove any existing secret directive, then add the new one. This # version of sed doesn't support the '+' regex match modifier, thus the # repeated match strings and use of '*'. # PAJPSED=" /proxypassmatch/I { s/\\s\\s*secret=[0-9a-f]*\\s\\s*/ /I; s/\\s\\s*secret=[0-9a-f]*\$//I; } " sed -ci.bak "${PAJPSED}" "${proxy_ajp_conf}" # Be very careful when editing this section. # # # Here we either replace or add the requiredSecret option, we also use pipe # symbols instead of forward slashes to delimit the regular expressions, since # it includes forward slashes. This version of sed doesn't support the '+' # regex match modifier, thus the repeated match strings and use of '*'. # TOMCATSED=" /tomcatauthentication=/I { s|\\s\\s*requiredSecret=\"[0-9a-f]*\"||; } " sed -ci.bak "${TOMCATSED}" "${tomcat_conf}" else echo "Applying ID1378329 mitigation..." random_secret=$(head -c 20 /dev/random | xxd -p -c 20) # Creating random nonce # Be very careful when editing this section. # # We use double quotes here to allow variable substitution to add the random # secret, which means we have to quote shell metacharacters that we don't want # changed. # # First we remove any existing secret directive, then add the new one. This # version of sed doesn't support the '+' regex match modifier, thus the # repeated match strings and use of '*'. # PAJPSED=" /proxypassmatch/I { s/\\s\\s*secret=[0-9a-f][0-9a-f]*\\s\\s*/ /I; s/\\s\\s*secret=[0-9a-f][0-9a-f]*\$//I; s/\$/ secret=${random_secret}/; } " sed -ci.bak "${PAJPSED}" "${proxy_ajp_conf}" # Be very careful when editing this section. # # # Here we either replace or add the requiredSecret option, we also use pipe # symbols instead of forward slashes to delimit the regular expressions, since # it includes forward slashes. This version of sed doesn't support the '+' # regex match modifier, thus the repeated match strings and use of '*'. # TOMCATSED=" /tomcatauthentication=/I { s|\\s\\s*requiredSecret=\"[0-9a-f][0-9a-f]*\"| requiredSecret=\"${random_secret}\"|; s|\"false\"\\s\\s*/>|\"false\" requiredSecret=\"${random_secret}\" />|; } " sed -ci.bak "${TOMCATSED}" "${tomcat_conf}" fi echo "Restarting httpd..." bigstart restart httpd echo "Restarting tomcat..." bigstart restart tomcat echo "Done!"