Akamai has created two new WAF rules in response to new information about the Apache Struts2 vulnerability. The first rule, the most recent version of KRS Rule 3000014, is a standard part of the Kona Ruleset and protects against the many common attacks leveraging this vulnerability. This rule is designed to allow organizations that have complex environments to continue operating without risk of the WAF rule interfering with their environments. However, this rule was intentionally designed to have as few false positives as possible, and may not capture future attacks against the Struts vulnerability. This rule will provide superior protection to rule 960010 for most customers.
The second new rule is a custom rule that takes further steps to inspect traffic. In some cases, this could create false positives that block legitimate traffic. However, the rule is designed to have the fewest false negatives feasible, meaning it is much less likely to miss attack traffic. Customers must work with their Akamai support teams in order to implement this rule in their environment as it is necessary to tune for their specific environment.
All Web Application Firewall rules are a trade-off between false positives (identification of traffic that is legitimate as attack traffic) and false negatives (erroneously identifying attack traffic as legitimate). These two new WAF rules provide Akamai customers with the ability to select and implement the most appropriate protection, based on risk tolerance within their individual environments.
If you have any questions about these rules, do not hesitate to reach out to your account manager for clarification.
Original blog post around this vulnerability can be found here.