Hello,We're checking in the AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules and we can't find the information of which CVE Rules are applied with this subscription.Where can we find the information of which CVEs are covered by this Rule set?When a new High Risk CVE is identified how long it would take to be added in the Rule set list? This information is needed so we can take a decision to use or not the solution, shouldn't this be described somewhere?Thanks in advance.

Hi tkreque I checked with our Product Management on this. Unlike our traditional, full blown WAF security solutions, the content of F5 for AWS WAF rules is not visible and cannot be viewed. If you are concerned with a specific CVE, you may send us the CVE details and we will check against the F5 rule sets. Regarding the time to add CVEs, due to limitations from AWS on resources per rule set we cannot commit to a define cadence to update the sets. New CVEs are evaluated individually.

Forum Discussion

tkreque

Nimbostratus

Oct 20, 2022

F5 Rules for AWS WAF - List of CVE

Hello,

We're checking in the AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules and we can't find the information of which CVE Rules are applied with this subscription.

Where can we find the information of which CVEs are covered by this Rule set?
When a new High Risk CVE is identified how long it would take to be added in the Rule set list?

This information is needed so we can take a decision to use or not the solution, shouldn't this be described somewhere?

Thanks in advance.

buulam
Jan 30, 2023
Hi tkreque I checked with our Product Management on this.

Unlike our traditional, full blown WAF security solutions, the content of F5 for AWS WAF rules is not visible and cannot be viewed. If you are concerned with a specific CVE, you may send us the CVE details and we will check against the F5 rule sets.

Regarding the time to add CVEs, due to limitations from AWS on resources per rule set we cannot commit to a define cadence to update the sets. New CVEs are evaluated individually.

Leslie_Hubertus
Ret. Employee
Oct 24, 2022
Hey tkreque - quick update to let you know that one of my teammates is looking into this for you and will reply to your question.
Nikoolayy1
MVP
Oct 26, 2022
This is a little bit outside of your question but maybe also review F5 distributed cloud (XC) expecially if you want in the future to use diffent cloud providers (multi cloud) as I worked with AWS WAF and its normal rules (the native ones not the F5 ones, so I can't comment on those like F5 CVE Rules ) . The issue with AWS WAF is its WAF engine that is just for me the opensource mod security while the F5 products (F5 Advanced WAF, NGINX App Protect, XC) use the BD engine.

What I am trying to say that even with the best rules for the AWS WAF it is still just a first generation WAF based on signatures with no ML positive model learning, no Javascript injections to block smart bot etc. So maybe consider to ask F5 also for a demo of the XC as it is easy as the AWS WAF to configure, it is multi cloud and as I mentioned it is much better for Layer 7 DDOS and Bot attacks and it has some special API protections to block Shadow API endpoints.
buulam
Admin
Jan 30, 2023
Hi tkreque I checked with our Product Management on this.

Unlike our traditional, full blown WAF security solutions, the content of F5 for AWS WAF rules is not visible and cannot be viewed. If you are concerned with a specific CVE, you may send us the CVE details and we will check against the F5 rule sets.

Regarding the time to add CVEs, due to limitations from AWS on resources per rule set we cannot commit to a define cadence to update the sets. New CVEs are evaluated individually.
LiefZimmerman
Admin
May 17, 2023
Accepting Buu's last reply as Solution (even if it doesn't fully close the loop, yet). If you disagree tkreque you can simply unMark it. Thanks!