Oracle Cloud Infrastructure Web Application Firewall and Apache Log4j vulnerabilities
(Doc ID 2847489.1)
Last updated on OCTOBER 02, 2023
Applies to:
Oracle Cloud Infrastructure Web Application Firewall - Version N/A and laterInformation in this document applies to any platform.
Purpose
In December 2021, the Apache Software Foundation disclosed a series of Log4j vulnerabilities. Additionally, Apache provided mitigation guidance and published software updates. For more information, see this Apache document.
To temporarily reduce exposure to these Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), use Oracle Cloud Infrastructure (OCI) Web Application Firewall (WAF).
However, if the vulnerable Apache Log4j components are used, then we recommend to follow the Apache instructions to fully remediate the environments.
Scope
OCI WAF service can help protect Internet-facing layer 7 (HTTP/HTTPS) web applications that are hosted within or outside OCI regions. It can also help protect Layer 7 (HTTP/HTTPS) applications that are hosted behind public or private OCI Flexible Load Balancer instances.
This document applies to OCI Web Application Firewall service. It explains how to configure OCI WAF Protection rules and enforce them at the Edge and/or on Flexible Load Balancer instances to help protect the web applications that are deemed vulnerable as temporary and partial measure until these vulnerabilities are fully remediated.
Details
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Purpose |
| Scope |
| Details |
| FAQs |