This article outlines configuration changes required on WAF 3.x to address the Log4j vulnerability.
Although WAF 3.x uses Log4j, it only comes into action when enabled by the ‘Cloud Management’ feature.
The ‘Cloud Management’ feature is disabled by default so customers are protected from the Log4j vulnerability.
To avoid exploitation of the Log4j vulnerability customers should disable (uncheck) the ‘Cloud Management’ feature. Disabling the ‘Cloud Management’ feature won’t affect WAF functionality as ‘Cloud Management’ is a deprecated feature.
A firmware upgrade on WAF is not required.
To disable the 'Cloud Management' feature please go to System | Administration page:
NOTE: WAF 2.2.x and earlier versions don’t use Log4j.