You should consider using this procedure under the following condition:

• You want to secure your applications against the Spring Framework (CVE-2022-22965 aka Spring4Shell) and Spring Cloud vulnerability CVE-2022-22963 with the BIG-IP system.

  Note: F5 is still actively monitoring the situation and will update this article and/or signatures when more specific information becomes available.

You can use the BIG-IP system to mitigate the impact of the Spring4Shell and Spring Cloud vulnerabilities in your infrastructure. For more information about these vulnerabilities, refer to K11510688: Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963.

Prerequisites

You must meet the following prerequisite to use this procedure:

• To use the BIG-IP ASM/Advanced WAF mitigation, your BIG-IP system must be licensed and provisioned for the BIG-IP ASM/Advanced WAF module.

Procedures

Mitigate the Spring4Shell and Spring Cloud vulnerabilities with BIG-IP ASM/Advanced WAF

BIG-IP ASM/Advanced WAF blocks exploitation attempts using the ASM-AttackSignatures_20220331_131622 signature file update, released today, March 31, 2022.

For the broadest possible protection, ensure that the Apache Tomcat, Spring Boot, and Java Servlets/JSP server technologies are added to your security policy and that the Server Side Code Injection signature set and all of the following signatures are in blocking mode: 200003437, 200003438, 200003439, 200003443, 200003444, 200003445, 200004161, 200004453, 200104262, 200104263, 200104796, 200104797, 200104798, 200104799

Note: Download and apply the latest signature updates to be sure all of these signatures are available.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP ASM/Advanced WAF Configuration utility.
2. Go to Security > Application Security > Policy Building > Learning and Blocking Settings.
3. Select the appropriate security policy from the security policy list.
4. Select Attack Signatures.
5. Select Change.
6. Select Generic Detection Signatures (High/Medium Accuracy) and Server Side Code Injection Signatures.
7. Select Change.
8. Select Save.
9. Select Apply Policy.
10. Select OK to confirm the changes to the security policy.
11. To verify if the fourteen injection attack signature IDs are part of the security policy, go to Security > Application Security > Security Policies > Policies List.
12. Perform the following steps for your BIG-IP ASM/Advanced WAF version:

    BIG-IP 15.x and later

    • Select the security policy you added the signatures to.
    • Under Policy Configuration, select Attack Signatures.

    BIG-IP 14.x and earlier

    • Go to Security > Application Security > Attack Signatures.
    • In the current edited policy list, select the security policy.
13. Perform the following step for your BIG-IP ASM/Advanced WAF version:

    BIG-IP 15.x and later

    • Select the filter (the funnel icon).

    BIG-IP 14.x and earlier

    • Select Show Filter Details.
14. In Signature ID, enter one of the fourteen injection attack signatures, and then select Apply.

    The Configuration utility displays the attack signature and its status.

15. Ensure the signature status (Staging or Enforced) meets your requirements.

    Note: Staging means that the system applies the attack signatures to the traffic but does not block the requests that trigger those attack signatures. When signatures match attack patterns during staging, the system generates learning suggestions. Enforced means the system enforces all configured blocking actions for each signature set.

16. Repeat steps 11 through 15 for the remaining thirteen injection attack signature IDs.

None