Maintained with ☕️ by
IcePanel logo
Microsoft Azure logo
Original post

General availability: Security Update for Application Gateway WAF CVE-2023-50164

Share

Services

Attention all Azure regional WAF customers: We have deployed a new managed rule to address the security vulnerability [CVE-2023-50164](https://nvd.nist.gov/vuln/detail/CVE-2023-50164). This security vulnerability could potentially impact your application. The fix has been rolled out for the ruleset versions listed below. If you believe that your application is vulnerable to this exploit we recommend changing the action of this rule from log to block. Please note that anomaly score action is not supported for this rule. **Default Ruleset (DRS): [2.1](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21#drs99001-21)** * ID: 99001017 * Rule Group: MS-ThreatIntel-CVEs * State: Enabled * Action: Log **Core Ruleset (CRS): [3.2](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32#crs800-32), [3.1](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp31#crs800-31)** * ID: 800114 * Rule Group: KNOWN-CVES * State: Enabled * Action: Log * Note: This rule is only supported on WAFv2\. Older WAFs running CRS 3.1 only support logging mode for this rule. To enable block mode you will need to upgrade to a newer ruleset version. Thank you for choosing Azure for your web security needs. * Application Gateway * Web Application Firewall * Features * Services * Security * [ Application Gateway](https://azure.microsoft.com/en-gb/products/application-gateway/) * [ Web Application Firewall](https://azure.microsoft.com/en-gb/products/web-application-firewall/)