F5 Rules for AWS WAF - CVE-2021-22118 & CVE-2016-1000027
We're checking in the AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules and want to check if the following CVEs are covered by this rule set?
- CVE-2021-22118: Local Privilege Escalation within Spring Webflux Multipart Request Handling
- CVE-2016-1000027: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.
Hi chanzk ,
Unlike the full blown WAF security solutions, F5 rules on AWS WAF are limited in total capacity, limiting the types of CVEs we can offer protection against. Normally, F5 rules include protection against CVEs that are common among customers. CVE-2016-1000027 may affect only few, therefore it wasn't included yet. We will add it in our next updates.
CVE-2021-22118 is a local vulnerability, not a network vulnerability. So less relevant for a WAF.