F5 Products & Log4j Vulnerability

Most of the F5 products are not affected by Log4j vulnerability except the Traffic SDC product because of the Elastic Search component used in 5.2.0 CF1, 5.1.0 CF-30 – 5.1.0 CF-33 versions of the Traffic SDC application. The severity is still low as the Log4j vulnerability can’t be exploited as these can be prevented by either using BIGIP or an F5 irule as described here – https://support.f5.com/csp/article/K59329043 and there is another way by which exploitation can be prevented using  NGINX Application Security products

Products that were not impacted by Log4j: BIG-IP (All modules), BIG-IQ Centralized Management , F5OS Traffix SDC , NGINX Plus, NGINX Open Source, NGINX Unit, NGINX App Protect, NGINX Controller, NGINX Ingress Controller, NGINX Instance Manager and NGINX Service Mesh


F5 ProductVersionsStatusPatched?
BIG-IP (all modules)AllNot VulnerableNot Needed
BIG-IQ Centralized ManagementAllNot VulnerableNot Needed
F5OSAllNot VulnerableNot Needed
Traffix SDC5.2.x, 5.1.xVulnerableNot Needed
NGINX PlusAllNot VulnerableNot Needed
NGINX Open SourceAllNot VulnerableNot Needed
NGINX UnitAllNot VulnerableNot Needed
NGINX App ProtectAllNot VulnerableNot Needed
NGINX ControllerAllNot VulnerableNot Needed
NGINX Ingress ControllerAllNot VulnerableNot Needed
NGINX Instance ManagerAllNot VulnerableNot Needed
NGINX Service MeshAllNot VulnerableNot Needed
Source: https://support.f5.com/csp/article/K19026212

Scroll to Top