Forum Discussion

tkreque's avatar
tkreque
Icon for Nimbostratus rankNimbostratus
Oct 20, 2022

F5 Rules for AWS WAF - List of CVE

Hello,

We're checking in the AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules and we can't find the information of which CVE Rules are applied with this subscription.

  • Where can we find the information of which CVEs are covered by this Rule set?
  • When a new High Risk CVE is identified how long it would take to be added in the Rule set list?

 

This information is needed so we can take a decision to use or not the solution, shouldn't this be described somewhere?

Thanks in advance.

  • Hi tkreque I checked with our Product Management on this.

    Unlike our traditional, full blown WAF security solutions, the content of F5 for AWS WAF rules is not visible and cannot be viewed. If you are concerned with a specific CVE, you may send us the CVE details and we will check against the F5 rule sets.

    Regarding the time to add CVEs, due to limitations from AWS on resources per rule set we cannot commit to a define cadence to update the sets. New CVEs are evaluated individually.

  • Accepting Buu's last reply as Solution (even if it doesn't fully close the loop, yet). If you disagree tkreque you can simply unMark it. Thanks!

  • Hi tkreque I checked with our Product Management on this.

    Unlike our traditional, full blown WAF security solutions, the content of F5 for AWS WAF rules is not visible and cannot be viewed. If you are concerned with a specific CVE, you may send us the CVE details and we will check against the F5 rule sets.

    Regarding the time to add CVEs, due to limitations from AWS on resources per rule set we cannot commit to a define cadence to update the sets. New CVEs are evaluated individually.

  • This is a little bit outside of your question but maybe also review F5 distributed cloud (XC) expecially if you want in the future to use diffent cloud providers (multi cloud) as I worked with  AWS WAF and its normal rules (the native ones not the F5 ones, so I can't comment on those like F5 CVE Rules ) . The issue with AWS WAF is its WAF engine that is just for me  the opensource mod security while the F5 products (F5 Advanced WAF, NGINX App Protect, XC) use the BD engine.

     

    What I am trying to say that even with the best rules for the AWS WAF it is still just a first generation WAF based on signatures with no ML positive model learning, no Javascript injections to block smart bot etc. So maybe consider to ask F5 also for a demo of the XC as it is easy as the AWS WAF to configure, it is multi cloud and as I mentioned it is much better for Layer 7 DDOS and Bot attacks and it has some special API protections to block Shadow API endpoints.

  • Hey tkreque - quick update to let you know that one of my teammates is looking into this for you and will reply to your question.