how to block log4j weakness on f5 ?

neeeewbie · ‎15-Dec-2021

Hi guys

I need your help !

I checked the log4j version

as I know below version is include log4j weakness, but F5 official documents expain log4j weakness does not include F5

so, I wonder how to block log4j weakness on f5 ?

please let me know if you know reason !

Daniel_Wolf · ‎16-Dec-2021

Hi ,

according to K19026212 F5 products themselves are not vulnerable. It also describes how to use ASM or AdvWAF or iRules or NGINX App Protect in order to protect applications that are affected by the log4shell vulnerability and which are delivered via BIG-IP or NGINX.

Even if a software is using a log4j version which is affected by CVE-2021-44228, it can still be configured to be safe. As long as formatMsgNoLookups is set to true, lookups with jndi are disabled.

KR

Daniel

View solution in original post

Daniel_Wolf · ‎16-Dec-2021

Hi ,

according to K19026212 F5 products themselves are not vulnerable. It also describes how to use ASM or AdvWAF or iRules or NGINX App Protect in order to protect applications that are affected by the log4shell vulnerability and which are delivered via BIG-IP or NGINX.

Even if a software is using a log4j version which is affected by CVE-2021-44228, it can still be configured to be safe. As long as formatMsgNoLookups is set to true, lookups with jndi are disabled.

KR

Daniel

neeeewbie · ‎20-Dec-2021

really thank you so much!

PeteWhite · ‎10-Jan-2022

You can use the iApp at https://devcentral.f5.com/s/articles/Apache-Log4j2-CVE-2021-44228-mitigation-iApp?tag=&page=1

DevCentral

how to block log4j weakness on f5 ?

Sep 26th, 2023
MFA required on DevCentral

DevCentral

how to block log4j weakness on f5 ?

Sep 26th, 2023MFA required on DevCentral

Sep 26th, 2023
MFA required on DevCentral