Mitigate the Spring Framework (Spring4Shell) and Spring Cloud Vulnerabilities with BIG-IP

Question

UPDATE from F5 Support:&nbsp;Mitigate the Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities with the BIG-IP system

You should consider using this procedure under the following condition:

You want to secure your applications against the Spring Framework (CVE-2022-22965 aka Spring4Shell) and Spring Cloud vulnerability CVE-2022-22963 with the BIG-IP system.
Note: F5 is still actively monitoring the situation and will update this article and/or signatures when more specific information becomes available.

Description

You can use the BIG-IP system to mitigate the impact of the Spring4Shell and Spring Cloud vulnerabilities in your infrastructure. For more information about these vulnerabilities, refer to K11510688: Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963.
Prerequisites
You must meet the following prerequisite to use this procedure:

To use the BIG-IP ASM/Advanced WAF mitigation, your BIG-IP system must be licensed and provisioned for the BIG-IP ASM/Advanced WAF module.

Spring Framework RCE (Spring4Shell): CVE-2022-22965
Spring Framework DoS: CVE-2022-22950
Spring Cloud RCE: CVE-2022-22963
Impact
For products with&nbsp;None&nbsp;in the&nbsp;Versions known to be vulnerable&nbsp;column, there is no impact.
For products with&nbsp;**&nbsp;in the various columns, F5 is still researching the issue and will update this article after confirming the required information. F5 Support has no additional information about this issue.
AskF5 Article -&nbsp;Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963
F5 Labs Article:&nbsp;What Are The Spring4Shell Vulnerabilities?
&nbsp;

worapojc · Answer

Hi,How do I know these vulnerabilities are no impact on AWS WAF?I'm using these F5 rules for AWS WAF.F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE)F5 Rules for AWS WAF - API Security RulesRegards,Worapoj

psilva · Answer

AaronJB&nbsp;also posted this:&nbsp;
F5 has published additional Advanced WAF rules for CVE-2022-22965 (Spring4Shell) and CVE-2022-22963 (Spring Cloud RCE), in addition to the 0-day coverage provided by several existing rules:&nbsp;https://support.f5.com/csp/article/K24912123
While you could likely use the log4j iRule as a base and modify it to contain your desired rules for Spring4Shell et al, I would caution that it is&nbsp;much&nbsp;more efficient and robust to use a WAF like Advanced WAF or NGINX App Protect than it is to re-write that functionality in an iRule.

Forum Discussion

Mitigate the Spring Framework (Spring4Shell) and Spring Cloud Vulnerabilities with BIG-IP

Description

2 Replies

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

df -h /shared file missing

SSO login for APM Profiles

Need Advice on below issue

Virtual Server Configuration requirements for ISO 8583 traffic (Single persistent TCP session)

threat hunting guide

Related Content

Spring4shell iApp

Protect Applications from Spring4Shell. (CVE-2022-22965)

Overview of MITRE ATT&CK Framework and Initial Access Tactic (TA0001)

OpenSSH vulnerability

spring4shell iRules yet?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS