Hello,We're checking in the AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules and want to check if the following CVEs are covered by this rule set?CVE-2021-22118: Local Privilege Escalation within Spring Webflux Multipart Request HandlingCVE-2016-1000027: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.Thanks.

Hi chanzk , Unlike the full blown WAF security solutions, F5 rules on AWS WAF are limited in total capacity, limiting the types of CVEs we can offer protection against. Normally, F5 rules include protection against CVEs that are common among customers. CVE-2016-1000027 may affect only few, therefore it wasn't included yet. We will add it in our next updates. CVE-2021-22118 is a local vulnerability, not a network vulnerability. So less relevant for a WAF. Thanks.

Sure. I'll set myself a reminder to update this thread 🙂

The rule set was updated to include CVE-2016-1000027.

Hi ambrosetse Yes it was updated. sorry it took me longer to answer than expected.

The following is good generic info on the F5 WAF:https://www.f5.com/company/blog/how-does-a-waf-mitigate-vulnerabilitiesYou would probably be looking at signatures. You can look at these if you have a test or eval instance running of the product:https://my.f5.com/manage/s/article/K41207833

Hi whisperer ,Thanks for the reply. As I mentioned, I am using AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules. Therefore I do not have access to the BIG-IP ASM/AdvWAF Configuration Utility. Does it mean that it is impossible to check what CVEs are included when subscripting F5 rules from AWS marketplace?Thanks.

F5 Rules for AWS WAF - CVE-2021-22118 & CVE-2016-1000027

18 Replies

ambrosetse
Altostratus
Oct 05, 2023
Hi Joel_Cohen
I would like to know if the rule set is updated or not?
- Joel_Cohen
  Employee
  Oct 05, 2023
  Hi ambrosetse
  
  Yes it was updated. sorry it took me longer to answer than expected.
  - ambrosetse
    Altostratus
    Jan 29, 2024
    Hi Joel_Cohen
    
    I would like to know if the following rule in "F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules" protect on the CVE-2016-100027?
    If not, which rule will protect on the CVE?
    Also, I find that the action is "Use action defined in the rule", I would like to know the default action of the rule is BLOCK or COUNT?
Joel_Cohen
Employee
Sep 19, 2023
Hi chanzk ,

Unlike the full blown WAF security solutions, F5 rules on AWS WAF are limited in total capacity, limiting the types of CVEs we can offer protection against. Normally, F5 rules include protection against CVEs that are common among customers. CVE-2016-1000027 may affect only few, therefore it wasn't included yet. We will add it in our next updates.

CVE-2021-22118 is a local vulnerability, not a network vulnerability. So less relevant for a WAF.

Thanks.
- chanzk
  Altostratus
  Sep 20, 2023
  Hi Joel_Cohen ,
  Thanks very much of the information. That is useful. May I know the schedule of next updates that invlude CVE-2016-1000027?
  Regards,
  - Joel_Cohen
    Employee
    Sep 21, 2023
    Hi chanzk ,
    
    Apologies for the delayed response- we plan to update it by the first week of October.
    
    Thanks,
buulam
Admin
Sep 18, 2023
Hi chanzk , I've asked the Product Manager for the F5 Rules for AWS WAF to review.

Will let you know what the response is. Thank you
whisperer
MVP
Sep 18, 2023
I really cannot think of a way to a) programmatically via CLI obtain this information from the product, b) nor am I aware of any online based index or search tool for figuring out what version/signature release covers certain CVEs.
If I need a quick answer, I would just run an F5 VE instance on VMware, same BIGIP code and attack signature version, and reference it that way.
I would be very interested in knowing of a better way of doing this. Have you tried to contact an F5 sales engineer or product support?
PSFletchTheTek
MVP
Sep 18, 2023
If someone has access to a f5 with WAF you could follow this?
https://my.f5.com/manage/s/article/K45558510
whisperer
MVP
Sep 17, 2023
The following is good generic info on the F5 WAF:
https://www.f5.com/company/blog/how-does-a-waf-mitigate-vulnerabilities
You would probably be looking at signatures. You can look at these if you have a test or eval instance running of the product:
https://my.f5.com/manage/s/article/K41207833
- chanzk
  Altostratus
  Sep 18, 2023
  Hi whisperer ,
  Thanks for the reply. As I mentioned, I am using AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules. Therefore I do not have access to the BIG-IP ASM/AdvWAF Configuration Utility. Does it mean that it is impossible to check what CVEs are included when subscripting F5 rules from AWS marketplace?
  Thanks.