Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Mitigate the Spring Framework (Spring4Shell) and Spring Cloud Vulnerabilities with BIG-IP

Legacy Employee
Legacy Employee

UPDATE from F5 Support: Mitigate the Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities with the BIG-IP system

You should consider using this procedure under the following condition:

  • You want to secure your applications against the Spring Framework (CVE-2022-22965 aka Spring4Shell) and Spring Cloud vulnerability CVE-2022-22963 with the BIG-IP system.

    Note: F5 is still actively monitoring the situation and will update this article and/or signatures when more specific information becomes available.


You can use the BIG-IP system to mitigate the impact of the Spring4Shell and Spring Cloud vulnerabilities in your infrastructure. For more information about these vulnerabilities, refer to K11510688: Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022....


You must meet the following prerequisite to use this procedure:

  • To use the BIG-IP ASM/Advanced WAF mitigation, your BIG-IP system must be licensed and provisioned for the BIG-IP ASM/Advanced WAF module.

Spring Framework RCE (Spring4Shell): CVE-2022-22965

Spring Framework DoS: CVE-2022-22950

Spring Cloud RCE: CVE-2022-22963


For products with None in the Versions known to be vulnerable column, there is no impact.

For products with ** in the various columns, F5 is still researching the issue and will update this article after confirming the required information. F5 Support has no additional information about this issue.

AskF5 Article - Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and...

F5 Labs Article: What Are The Spring4Shell Vulnerabilities?





How do I know these vulnerabilities are no impact on AWS WAF?

I'm using these F5 rules for AWS WAF.


Legacy Employee
Legacy Employee

@AaronJB also posted this: 

F5 has published additional Advanced WAF rules for CVE-2022-22965 (Spring4Shell) and CVE-2022-22963 (Spring Cloud RCE), in addition to the 0-day coverage provided by several existing rules:

While you could likely use the log4j iRule as a base and modify it to contain your desired rules for Spring4Shell et al, I would caution that it is much more efficient and robust to use a WAF like Advanced WAF or NGINX App Protect than it is to re-write that functionality in an iRule.