A new policy (baseline version 201706081942) for the Virtual Web Application Firewall is now available.
- Changed: bash injection CVE-2014-6271 and CVE-2014-7169 - Reason: Refine "protection against bash injection" rule to also match if there is no whitespace.
- Changed: access UNIX system paths - Reason: Also match on header values
- Changed: execution of shell commands and script interpreters - Reason: Also match on header values
- Changed: drop statement - Reason: Also match on header values
- Changed: remote file inclusion - Reason: Also match on header values
There is a zip archive attached to this message which contains this policy. The archive needs to be extracted before it can be uploaded to the WAF (either via web UI or REST API).
The download in the product is available with a short delay.