Forum Discussion

tkreque's avatar
tkreque
Icon for Nimbostratus rankNimbostratus
Oct 20, 2022
Solved

F5 Rules for AWS WAF - List of CVE

Hello,

We're checking in the AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules and we can't find the information of which CVE Rules are applied with this subscription.

  • Where can we find the information of which CVEs are covered by this Rule set?
  • When a new High Risk CVE is identified how long it would take to be added in the Rule set list?

 

This information is needed so we can take a decision to use or not the solution, shouldn't this be described somewhere?

Thanks in advance.

AWS
cloud
cve
F5 Rules for AWS WAF
security
waf
  • buulam's avatar
    buulam
    Jan 30, 2023

    Hi tkreque I checked with our Product Management on this.

    Unlike our traditional, full blown WAF security solutions, the content of F5 for AWS WAF rules is not visible and cannot be viewed. If you are concerned with a specific CVE, you may send us the CVE details and we will check against the F5 rule sets.

    Regarding the time to add CVEs, due to limitations from AWS on resources per rule set we cannot commit to a define cadence to update the sets. New CVEs are evaluated individually.

4 Replies

Sort By
  • Leslie_Hubertus's avatar
    Leslie_Hubertus
    Ret. Employee
    Oct 24, 2022

    Hey tkreque - quick update to let you know that one of my teammates is looking into this for you and will reply to your question. 

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Oct 26, 2022

    This is a little bit outside of your question but maybe also review F5 distributed cloud (XC) expecially if you want in the future to use diffent cloud providers (multi cloud) as I worked with  AWS WAF and its normal rules (the native ones not the F5 ones, so I can't comment on those like F5 CVE Rules ) . The issue with AWS WAF is its WAF engine that is just for me  the opensource mod security while the F5 products (F5 Advanced WAF, NGINX App Protect, XC) use the BD engine.

     

    What I am trying to say that even with the best rules for the AWS WAF it is still just a first generation WAF based on signatures with no ML positive model learning, no Javascript injections to block smart bot etc. So maybe consider to ask F5 also for a demo of the XC as it is easy as the AWS WAF to configure, it is multi cloud and as I mentioned it is much better for Layer 7 DDOS and Bot attacks and it has some special API protections to block Shadow API endpoints.

  • buulam's avatar
    buulam
    Icon for Admin rankAdmin
    Jan 30, 2023

    Hi tkreque I checked with our Product Management on this.

    Unlike our traditional, full blown WAF security solutions, the content of F5 for AWS WAF rules is not visible and cannot be viewed. If you are concerned with a specific CVE, you may send us the CVE details and we will check against the F5 rule sets.

    Regarding the time to add CVEs, due to limitations from AWS on resources per rule set we cannot commit to a define cadence to update the sets. New CVEs are evaluated individually.

  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    May 17, 2023

    Accepting Buu's last reply as Solution (even if it doesn't fully close the loop, yet). If you disagree tkreque you can simply unMark it. Thanks!