F5 Rules for AWS WAF - CVE-2021-22118 & CVE-2016-1000027

chanzk · ‎14-Sep-2023

Hello,

We're checking in the AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules and want to check if the following CVEs are covered by this rule set?

CVE-2021-22118: Local Privilege Escalation within Spring Webflux Multipart Request Handling
CVE-2016-1000027: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.

Thanks.

Joel_Cohen · ‎19-Sep-2023

Hi @chanzk ,

Unlike the full blown WAF security solutions, F5 rules on AWS WAF are limited in total capacity, limiting the types of CVEs we can offer protection against. Normally, F5 rules include protection against CVEs that are common among customers. CVE-2016-1000027 may affect only few, therefore it wasn't included yet. We will add it in our next updates.

CVE-2021-22118 is a local vulnerability, not a network vulnerability. So less relevant for a WAF.

Thanks.

View solution in original post

whisperer · ‎16-Sep-2023

The following is good generic info on the F5 WAF:

https://www.f5.com/company/blog/how-does-a-waf-mitigate-vulnerabilities

You would probably be looking at signatures. You can look at these if you have a test or eval instance running of the product:

https://my.f5.com/manage/s/article/K41207833

chanzk · ‎17-Sep-2023

Hi @whisperer ,

Thanks for the reply. As I mentioned, I am using AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules. Therefore I do not have access to the BIG-IP ASM/AdvWAF Configuration Utility. Does it mean that it is impossible to check what CVEs are included when subscripting F5 rules from AWS marketplace?

Thanks.

PSFletchTheTek · ‎18-Sep-2023

If someone has access to a f5 with WAF you could follow this?
https://my.f5.com/manage/s/article/K45558510

whisperer · ‎18-Sep-2023

I really cannot think of a way to a) programmatically via CLI obtain this information from the product, b) nor am I aware of any online based index or search tool for figuring out what version/signature release covers certain CVEs.

If I need a quick answer, I would just run an F5 VE instance on VMware, same BIGIP code and attack signature version, and reference it that way.

I would be very interested in knowing of a better way of doing this. Have you tried to contact an F5 sales engineer or product support?

buulam · ‎18-Sep-2023

Hi @chanzk , I've asked the Product Manager for the F5 Rules for AWS WAF to review.

Will let you know what the response is. Thank you

~~~~~~~~~~~~~~~~~~
@buulam / YouTube.com/DevCentral

Joel_Cohen · ‎19-Sep-2023

Hi @chanzk ,

Unlike the full blown WAF security solutions, F5 rules on AWS WAF are limited in total capacity, limiting the types of CVEs we can offer protection against. Normally, F5 rules include protection against CVEs that are common among customers. CVE-2016-1000027 may affect only few, therefore it wasn't included yet. We will add it in our next updates.

CVE-2021-22118 is a local vulnerability, not a network vulnerability. So less relevant for a WAF.

Thanks.

chanzk · ‎19-Sep-2023

Hi @Joel_Cohen ,

Thanks very much of the information. That is useful. May I know the schedule of next updates that invlude CVE-2016-1000027?

Regards,

chanzk · ‎20-Sep-2023

Hi @Joel_Cohen ,

It would be helpful if I could know the schedule of next updates that include CVE-2016-1000027. Thanks.

Regards,

Joel_Cohen · ‎21-Sep-2023

Hi @chanzk ,

Apologies for the delayed response- we plan to update it by the first week of October.

Thanks,

ambrosetse · ‎25-Sep-2023

Hi @Joel_Cohen ,

Can I ask for the update with CVE-2016-1000027. follow by this thread at October?

Thanks

Joel_Cohen · ‎26-Sep-2023

Sure. I'll set myself a reminder to update this thread 🙂

Joel_Cohen · ‎05-Oct-2023

The rule set was updated to include CVE-2016-1000027.

ambrosetse · ‎04-Oct-2023

Hi @Joel_Cohen

I would like to know if the rule set is updated or not?

Joel_Cohen · ‎05-Oct-2023

Hi @ambrosetse

Yes it was updated. sorry it took me longer to answer than expected.

ambrosetse · ‎08-Oct-2023

Hi @Joel_Cohen

I would like to know if the current F5 rules for AWS WAF cover for the following vulnerabilities?
CVE-2022-22968, CVE-2022-22976, CVE-2022-22970, CVE-2022-22950, CVE-2023-20861 and CVE-2023-20863
If not, will they include at the future release?

Thanks

Ambrose

Joel_Cohen · ‎16-Oct-2023

Hi @ambrosetse ,

These CVEs are not covered in the rule sets. We don't have these in our plans either.

Thansk

Joel

DevCentral

F5 Rules for AWS WAF - CVE-2021-22118 & CVE-2016-1000027

Register For AppWorld 2024

F5 Receives Six Trust Radius
Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

DevCentral

F5 Rules for AWS WAF - CVE-2021-22118 & CVE-2016-1000027

Register For AppWorld 2024

F5 Receives Six Trust Radius Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

F5 Receives Six Trust Radius
Best of 2023 Awards