Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0692
sol14410: Multiple MySQL vulnerabilities Security Advisory
15 May 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP LTM
BIG-IP AFM
BIG-IP Analytics
BIG-IP APM
BIG-IP ASM
BIG-IP Edge Gateway
BIG-IP GTM
BIG-IP Link Controller
BIG-IP PEM
BIG-IP PSM
BIG-IP WebAccelerator
BIG-IP WOM
Enterprise Manager
FirePass
Publisher: F5
Operating System: Network Appliance
Impact/Access: Access Confidential Data -- Existing Account
Modify Arbitrary Files -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2012-0496 CVE-2012-0495 CVE-2012-0494
CVE-2012-0493 CVE-2012-0492 CVE-2012-0491
CVE-2012-0490 CVE-2012-0489 CVE-2012-0488
CVE-2012-0487 CVE-2012-0486 CVE-2012-0485
CVE-2012-0484 CVE-2012-0120 CVE-2012-0119
CVE-2012-0118 CVE-2012-0117 CVE-2012-0116
CVE-2012-0115 CVE-2012-0114 CVE-2012-0113
CVE-2012-0112 CVE-2012-0102 CVE-2012-0101
CVE-2012-0087 CVE-2012-0075 CVE-2011-2262
Reference: ASB-2012.0009
ESB-2012.0252
ESB-2012.0157
ESB-2012.0146
Original Bulletin:
http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14410.html
- --------------------------BEGIN INCLUDED TEXT--------------------
sol14410: Multiple MySQL vulnerabilities Security Advisory
Security Advisory
Original Publication Date: 05/14/2013
Description
For BIG-IP systems using the MySQL database, the following MySQL
vulnerabilities may allow local users to gain knowledge of sensitive
information, manipulate certain data, or cause a Denial of Service (DoS):
CVE-2011-2262
CVE-2012-0075
CVE-2012-0087
CVE-2012-0101
CVE-2012-0102
CVE-2012-0112
CVE-2012-0113
CVE-2012-0114
CVE-2012-0115
CVE-2012-0116
CVE-2012-0117
CVE-2012-0118
CVE-2012-0119
CVE-2012-0120
CVE-2012-0484
CVE-2012-0485
CVE-2012-0486
CVE-2012-0487
CVE-2012-0488
CVE-2012-0489
CVE-2012-0490
CVE-2012-0491
CVE-2012-0492
CVE-2012-0493
CVE-2012-0494
CVE-2012-0495
CVE-2012-0496
For Enterprise Manager systems, the following MySQL vulnerability may also
allow remote users to gain knowledge of sensitive information, manipulate
certain data, or cause a DoS:
CVE-2011-2262
Impact
This vulnerability may allow local users to gain knowledge of sensitive
information, manipulate certain data, or cause a DoS.
This vulnerability may allow remote exploit of Enterprise Manager systems
configured to back up the statistics database to a remote system
(Statistics Data Location is set to 'External').
Status
F5 Product Development has assigned ID 378560 (BIG-IP and Enterprise Manager)
to these vulnerabilities.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM None 9.0.0 - 9.6.1 None
10.0.0 - 10.2.4
11.0.0 - 11.3.0
BIG-IP AFM None 11.3.0 None
BIG-IP Analytics 11.0.0 - 11.2.1 11.3.0 MySQL
BIG-IP APM 10.1.0 - 10.2.41 11.3.0 MySQL
1.0.0 - 11.2.1
BIG-IP ASM 9.2.0 - 9.4.8 11.3.0 MySQL
10.0.0 - 10.2.4
11.0.0 - 11.2.1
BIG-IP Edge Gateway 10.1.0 - 10.2.4 11.3.0 MySQL
11.0.0 - 11.2.1
BIG-IP GTM None 9.2.2 - 9.4.8 None
10.0.0 - 10.2.4
11.0.0 - 11.3.0
BIG-IP Link Controller None 9.2.2 - 9.4.8 None
10.0.0 - 10.2.4
11.0.0 - 11.3.0
BIG-IP PEM None 11.3.0 None
BIG-IP PSM 9.4.5 - 9.4.8 11.3.0 MySQL
10.0.0 - 10.2.4
11.0.0 - 11.2.1
BIG-IP WebAccelerator 9.4.0 - 9.4.8 11.3.0 MySQL
10.0.0 - 10.2.4
11.0.0 - 11.2.1
BIG-IP WOM None 10.0.0 - 10.2.4 None
11.0.0 - 11.3.0
ARX None 5.0.0 - 5.3.1 None
6.0.0 - 6.3.0
Enterprise Manager 1.6.0 - 1.8.0 3.1.0 MySQL
2.0.0 - 2.3.0
3.0.0
FirePass None 6.0.0 - 6.1.0 None
7.0.0
Recommended action
To eliminate these vulnerabilities, upgrade to a version that is listed in the
Versions known to be not vulnerable column in the previous table.
For Enterprise Manager, if you are unable to upgrade to 3.1.0, you can mitigate
the remote vulnerability by configuring the Statistics Data Location option to
use the local database. To do so, perform the following procedure:
Impact of action: The Enterprise Manager system will no longer store health and
performance monitoring statistics on an external database.
Log in to the Configuration utility.
Click Statistics.
Click Managed Devices.
Click Options.
Click Data Storage.
Change the Statistics Data Location option to Local.
Click Save Changes.
Supplemental Information
SOL11317: Connectivity requirements for the Enterprise Manager system
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents.
SOL4602: Overview of the F5 security vulnerability response policy
SOL4918: Overview of the F5 critical issue hotfix policy
SOL167: Downloading software and firmware from F5
SOL13123: Managing BIG-IP product hotfixes (11.x)
SOL9502: BIG-IP hotfix matrix
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUZMNce4yVqjM2NGpAQIY9Q//eFXMnH4cORF73p5lWloYMrUkP+I5tI3h
0XQKkTuxy3HjirxL6ayglz4sN4Pw4NwdhZRsck0zpdkvcHxbxc+dSjPv8IFj/HLO
zfZPUXz63Zc1/XiSx8s4uq4G7N123f2L65JuXfvWapn5UiRF8rluIRAIoHPijd7P
+TE4mRGpo64kjqkYh7Kj/x/56ECn9iSlAL4IYo4buTQNpBbAWNFM0nljyPfegFN4
p8yHupVMBuk3Iuj5j5h0meRjciFL4a/ZodEI6PHEyLQKhnsDacz6rPEs7Uzi3Smn
ht8ZC50rFkvfp/aIA6fuAllALT0GcqKA7svU14WG9JTDfFBhgDK0r487Patp+Dj6
bXdEfntLa3ZIuq4/BWM23U+vZUTUi4tA5LIQ1QEV27GFnZRnZiFiro9MTbNTwz5o
r8GBBlMrhgJxpJj1fqIGMMvjIzQUkAAsczK0K6QCLtfFHxhdV0MINsRc2s7gsUMT
Nbx2ceBON0SxPm3uRPjMOypk8b8P8qZLnTE03wTC7NePbGeW9pG3L5QSBAFgndkb
12ptdp1HzFhrpTUgC8OnUQQRhGy2zIZVEvF2Qd6f4qXGC/Pl6Rbu3UJFcOHjTERg
ijfZS5vAU5Ay9oFrzTUtLkhD1nI1appTTRLGE4WDM2LcbCvzI3HN1UYfLccmyGGk
JFi7qM4XYuU=
=+8Da
-----END PGP SIGNATURE-----