Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,002 questions
Azure application gateway web application firewall configuration doesn't show the new rule id updated for cve-2023-50164
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 89%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Alex
355
Reputation points
Hello,
Based on the update from Azure regarding the waf ruleset update for cve-2023-50164 (https://azure.microsoft.com/en-in/updates/general-availability-security-update-for-application-gateway-waf-cve202350164/), the rule id is not reflecting in my appgw waf config.
Is there something I should do?
note: I have the default waf configuration enabled for the application gateway and not a separate waf policy that is attached to the appgw.
Thanks in advance.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee2024-01-02T21:54:36.48+00:00 Thank you for reaching out.
Based on your statement here
note: I have the default waf configuration enabled for the application gateway and not a separate waf policy that is attached to the appgw.
Can you please confirm your Application gateway Tier and also confirm if Core Ruleset (CRS): 3.2 or 3.1 have been configured?
I created a new application gateway in WAFv2 tier and I can see the managed rule has been added to the WAF policy created.
Please share the information requested above and I will confirm if you need to upgrade your WAF Config to a WAF Policy
Thank you!
-
Alex 355 Reputation points
2024-01-03T01:30:49.27+00:00 Hello @ChaitanyaNaykodi-MSFT ,
Thank you for the prompt response.
Please find the screenshots below for the requested information,
-
Alex 355 Reputation points
2024-01-03T01:32:47.19+00:00 Hello @ChaitanyaNaykodi-MSFT ,
Thank you for the prompt response.
Please find the screenshots below for the requested information,
-
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee
2024-01-03T02:42:34.5466667+00:00 Thank you for providing the details above. I have reached out to the team internally regarding this issue and will share an update as soon as they get back. Thank you!
-
Alex 355 Reputation points
2024-01-03T02:44:59.5033333+00:00 Thank you, much appreciated for the support @ChaitanyaNaykodi-MSFT
-
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee
2024-01-03T16:53:12.1033333+00:00 Thank you for your patience here. I just heard back from the team.
Can you please try an operation and see if that enables CVE? For example: enable or disable a rule and see if that sets-up the new CVE rule.
If that does not help, can you please reach out to us at azcommunity@microsoft.com with the below details.
Subject : Attn Chaitanya
Thread URL: Link to this thread.
Subscription ID:
Application Gateway Resource ID:
Please let me know once you have done the same. Thank you!
-
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee
2024-01-04T16:09:29.1733333+00:00 Just following up here to see if you were able take a look at my comment above. Thank you!
-
Alex 355 Reputation points
2024-01-05T13:10:02.01+00:00 Hello Chaitanya,
Apologies for the late response.
I did what you suggested but forgot to reply here - disabled a ruleset on the WAF config, but it didn't set the new cve rule.
Unfortunately I had to clean up the resource due to budget constraints and will be able to setup later this month, so couldn't reach out via mail with the resource id at this moment.
Meanwhile, is it possible to check in your test AppGw with waf config enabled, if available?
Also, does this reflect only on waf policy and not on waf configs?
Thank you for the prompt support, as always.
-
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee
2024-01-11T03:41:38.7+00:00 @Alex
Thank you for reaching out and apologies for the delay here. Based on your questions above:Meanwhile, is it possible to check in your test AppGw with waf config enabled, if available?
Currently all the new Application Gateways are deployed with WAF policy. Let me check if the product team can test it on their end.
Also, does this reflect only on waf policy and not on waf configs?
Currently this issue is not observed for WAF policies. Thank you!
Sign in to comment