Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0124 A vulnerability has been identified in BIG-IP ASM 7 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP ASM Operating System: Network Appliance Impact/Access: Root Compromise -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-2975 Member content until: Sunday, October 7 2012 OVERVIEW A vulnerability has been identified in BIG-IP ASM versions 10.0.0 through 10.2.4-HF3, 11.0.0 through 11.0.0-HF3, 11.1.0 through 11.1.0-HF4, and 11.2.0 through 11.2.0-HF1. [1] IMPACT The vendor has provided the following details regarding this vulnerability which has been assigned CVE-2012-2975: "A Cross Site Scripting (XSS) vulnerability exists on the BIG-IP ASM traffic overview page. Malicious request URLs may be exposed in the Configuration utility without proper sanitization." [1] "Privileged (root) access may be granted to unauthenticated users." [1] MITIGATION To correct this issue the vendor recommends upgrading to the following versions or hotfixes which are known to be not vulnerable [1]: BIG-IP ASM 9.4.8 BIG-IP ASM 10.2.4-HF4 BIG-IP ASM 11.0.0-HF4 BIG-IP ASM 11.1.0-HF5 BIG-IP ASM 11.2.0-HF2 REFERENCES [1] sol13838: XSS vulnerability CVE-2012-2975 http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13838.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUEmQsO4yVqjM2NGpAQLckg//aN1gOs1QUIseV2N/fz5SzQZAnx65wmL1 CRdJQH7N9+xGWvv4SLQdcPvI0McYXNfWzyywjmPnI+CRSKq4SEa4pxDJyekKMZMc xpKwsJWyN0ZDHsNjzJxEtfPOAN7fNvdv603QYhq4PdPWGYx66u3NohmRaQWPV06n sLRUE5JCa65vPqeklRQW81LdIpLbdvCW3bJL80jjtKWGbOEkPtaCrIUpGpJu5KUf IlX4LXKE5aS0U7RCYGyBPCojriHB8pBiis7XtEKGfDmP2poCgPXW9U/pEJZGN0Dd abJca36wzsWRTPuTtZYi+U+f9sv1KBOk1I8+vSZ1AvO4b6bg13r5d1Zq2pLnlMme ku1/fqNmDPLpu7YDm80QMZXj3ZouACmleu2Jj6lYo7PJ4PQziIt4vTAsEifdtANe Sl+FTrotASfNpXL3w0MHGEWU5d59MeUgzlGz+caipZLcSdqMXR/YFd8hHTS8nqaP lCmBm4QB8yE4gxoFsEvw6wZ6mc3e0EtCi+YZkmoH6YUPqAb/0ZlWWF1wCkGvcRvr tPlV1xGEvGMnhL1jUtZQ5L6qaQIVndzztUUhjohDGq3snkMggOmwwYYjcqiwIinP X5tgODnVSimIj0egmmjHwdHT+Fzt/6RkyxCtBu7lB10oD9EnjuYmGXmt/+I7pv9r MKejlh7cgJs= =pcWZ -----END PGP SIGNATURE-----