Most of the F5 products are not affected by Log4j vulnerability except the Traffic SDC product because of the Elastic Search component used in 5.2.0 CF1, 5.1.0 CF-30 – 5.1.0 CF-33 versions of the Traffic SDC application. The severity is still low as the Log4j vulnerability can’t be exploited as these can be prevented by either using BIGIP or an F5 irule as described here – https://support.f5.com/csp/article/K59329043 and there is another way by which exploitation can be prevented using NGINX Application Security products
Products that were not impacted by Log4j: BIG-IP (All modules), BIG-IQ Centralized Management , F5OS Traffix SDC , NGINX Plus, NGINX Open Source, NGINX Unit, NGINX App Protect, NGINX Controller, NGINX Ingress Controller, NGINX Instance Manager and NGINX Service Mesh
| F5 Product | Versions | Status | Patched? |
|---|---|---|---|
| BIG-IP (all modules) | All | Not Vulnerable | Not Needed |
| BIG-IQ Centralized Management | All | Not Vulnerable | Not Needed |
| F5OS | All | Not Vulnerable | Not Needed |
| Traffix SDC | 5.2.x, 5.1.x | Vulnerable | Not Needed |
| NGINX Plus | All | Not Vulnerable | Not Needed |
| NGINX Open Source | All | Not Vulnerable | Not Needed |
| NGINX Unit | All | Not Vulnerable | Not Needed |
| NGINX App Protect | All | Not Vulnerable | Not Needed |
| NGINX Controller | All | Not Vulnerable | Not Needed |
| NGINX Ingress Controller | All | Not Vulnerable | Not Needed |
| NGINX Instance Manager | All | Not Vulnerable | Not Needed |
| NGINX Service Mesh | All | Not Vulnerable | Not Needed |