OWASP WAF – CVE-2021-35368 on OWASP CRS
IMPORTANT NOTICE FOR Kemp WAF Customers
The Kemp Web Application Firewall (WAF) has migrated to rules based on the Open Web Application Security Project® (OWASP) Core Rule Set (CRS) as the primary set of rules-based protection.
OWASP CRS is a set of generic attack detection rules designed to protect web applications from a wide range of attacks, including OWASP Top Ten. The CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc. The OWASP CRS provides significantly better baseline protection for your applications.
A high severity vulnerability was raised against the OWASP CRS under CVE-2021-35368.
This was addressed by the OWASP CRS team on Wednesday 30th June in the 3.1.2, 3.2.1 and 3.3.2.
Kemp have made available the OWASP CRS 3.3.2 release.
If you have Web Application Firewall – Access Settings – Enable Automated Installs ticked, then you will receive this update automatically.
Otherwise, please manually install updates under Web Application Firewall – Access Settings – Manually Install Updates – Install Now to receive and install this update.
Please find further information from OWASP CRS here.