As we continue to monitor the rapidly evolving situation with the log4j vulnerability, our Security Research and Engineering teams have completed several iterations of our Fastly WAF and Signal Sciences Next-Gen WAF CVE rules. Signal Sciences Next-Gen WAF implementations automatically receive updates to rules as they are released without any customer action required. Fastly Legacy and Fastly 2020 WAF implementations require customer action to implement updated rules.
For more information on how to update the Legacy Fastly WAF rule set or individual rules in the Fastly 2020 WAF please visit
Legacy Fastly WAF - https://docs.fastly.com/en/guides/fastly-waf-rule-set-updates-maintenance-legacy#updating-to-the-latest-rules
Fastly 2020 WAF - https://docs.fastly.com/en/guides/about-the-fastly-waf-rule-management-interface-legacy#adding-new-rules-to-your-waf
Going forward we will post updates to our status pages as new versions of these rules are made available.
Our efficacy testing has shown that these rules provide excellent coverage in protecting our customers from a wide range of variants and attacks, with minimal false positives.
While these rules are being used widely by a variety of customers with great results, a number of customers have asked for a method to provide more strict coverage, though it increases the risk of false positives and the possibility of blocking a portion of legitimate traffic. To accommodate this request, we have created a second set of, “strict enforcement rules.” These are titled:
Fastly WAFs: Log4j2 - 2.14.1 JNDI possible RCE attempt - strict
Signal Sciences WAF: CVE-2021-44228-STRICT
We recommend only using these rules as a last resort while working to patch your environment, due to the increased risk of blocking legitimate traffic.
Please contact our support teams if you have any questions or need any assistance updating these rules at email@example.com