-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1523
        Multiple SSL/TLS Vulnerabilities in F5 Networks BIG-IP, ARX
                          and Line Rate products
                             8 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP
                   F5 Line Rate
                   F5 ARX
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data   -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Reduced Security         -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-5139 CVE-2014-4024 CVE-2014-3511
                   CVE-2014-3510 CVE-2014-3509 CVE-2014-3508

Reference:         ASB-2014.0096
                   ESB-2014.1491
                   ESB-2014.1467.2
                   ESB-2014.1396
                   ESB-2014.1388
                   ESB-2014.1335
                   ESB-2014.1334

Original Bulletin: 
   http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15500.html
   http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15564.html
   http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15567.html
   http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15568.html
   http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15541.html
   http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15571.html

Comment: This bulletin contains six (6) F5 Networks security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- ------------------------------------------------------------------------------

SOL15564: TLS vulnerability CVE-2014-3511

Security AdvisorySecurity Advisory

Original Publication Date: 09/05/2014

Description

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 
1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by 
triggering ClientHello message fragmentation in communication between a client
and server that both support later TLS versions, related to a "protocol 
downgrade" issue. (CVE-2014-3511)

Impact

Vulnerable hosts may be subject to a man-in-the-middle attack by forcing a 
downgrade to TLS 1.0, even if both the server and the client support a higher
protocol version.

Status

F5 Product Development has assigned ID 474757 (BIG-IP and Enterprise Manager)
and ID 477194 (BIG-IQ) to this vulnerability, and has evaluated the currently
supported releases for potential vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product		    Versions known to be vulnerable 	Versions known to be not vulnerable		Vulnerable component or feature

BIG-IP LTM 	    11.5.0 - 11.6.0			11.0.0 - 11.4.1, 10.0.0 - 10.2.4		TMM vulnerable with COMPAT ciphers only TLS/DTLS 1.0

BIG-IP AAM 	    11.5.0 - 11.6.0			11.4.0 - 11.4.1					TLS/DTLS 1.0

BIG-IP AFM 	    11.5.0 - 11.6.0 			11.3.0 - 11.4.1					TLS/DTLS 1.0

BIG-IP Analytics    11.5.0 - 11.6.0 			11.0.0 - 11.5.1					TLS/DTLS 1.0

BIG-IP APM 	    11.5.0 - 11.6.0 			11.0.0 - 11.4.1, 10.1.0 - 10.2.4		TLS/DTLS 1.0

BIG-IP ASM 	    11.5.0 - 11.6.0 			11.0.0 - 11.4.1, 10.0.0 - 10.2.4		TLS/DTLS 1.0

BIG-IP Edge Gateway None                                11.0.0 - 11.3.0, 10.1.0 - 10.2.4                TLS/DTLS 1.0

BIG-IP GTM          11.5.0 - 11.6.0 			11.0.0 - 11.4.1, 10.0.0 - 10.2.4		TLS/DTLS 1.0

BIG-IP Link	    11.5.0 - 11.6.0 			11.0.0 - 11.4.1, 10.0.0 - 10.2.4		TLS/DTLS 1.0
Controller 

BIG-IP PEM          11.5.0 - 11.6.0                     11.3.0 - 11.4.1					TLS/DTLS 1.0

BIG-IP PSM 	    None 				11.0.0 - 11.4.1, 10.0.0 - 10.2.4		None

BIG-IP  	    None 				11.0.0 - 11.3.0, 10.0.0 - 10.2.4		None
WebAccelerator

BIG-IP WOM 	    None 				11.0.0 - 11.3.0, 10.0.0 - 10.2.4		None

ARX 		    None 				6.0.0 - 6.4.0 					None

Enterprise Manager  None 				3.0.0 - 3.1.1, 2.1.0 - 2.3.0			None

FirePass 	    None 				7.0.0, 6.0.0 - 6.1.0				None

BIG-IQ Cloud 	    None				4.0.0 - 4.3.0					None

BIG-IQ Device 	    None				4.2.0 - 4.3.0					None

BIG-IQ Security     None				4.0.0 - 4.3.0					None


Recommended action

BIG-IP 11.x

If the previous table lists a version in the Versions known to be not 
vulnerable column, you can eliminate this vulnerability by upgrading to the 
listed version. If the table does not list any version in the column, then no
upgrade candidate currently exists.

To mitigate this vulnerability for virtual servers, you can disable all TLS1 
protocols in the SSL profile. To do so, perform the following procedure:

Impact of procedure: The following procedure should not have a negative impact
on your system.

Log in to the BIG-IP Configuration utility as the administrative user.

For Server SSL profiles, navigate to Local Traffic > Profiles > SSL > Server.

For Client SSL profiles, navigate to Local Traffic > Profiles > SSL > Client.

Open the SSL Server profile you want to modify.

Under Options List in the Available Ciphers, highlight the NoTLSv1 option and
click Enable.

To complete the change, click Update.

Repeat this procedure for all Server and Client SSL profiles.

To mitigate this vulnerability for the BIG-IP Configuration utility, you can 
disable all TLS1 protocols for httpd. To do so, perform the following 
procedure:

Impact of procedure: Some browsers, such as Mozilla Firefox, may fail to 
connect to the BIG-IP Configuration utility with TLS1 ciphers disabled.

Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

Before you change the SSL cipher string, you should review the existing string
for your specific BIG-IP version. To list the currently configured cipher 
string, type the following command:

list /sys httpd ssl-ciphersuite

For example, the BIG-IP 11.5.1 system displays the following cipher string:

ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2

To restrict Configuration utility access from clients using TLS1, type the 
following command with the !TLSv1 cipher exclusion appended:

modify /sys httpd ssl-ciphersuite 
'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!TLSv1'

Save the configuration change by typing the following command:

save /sys config

Restart the httpd process by typing the following command:

restart /sys service httpd

Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products

SOL9957: Creating a custom RSS feed to view new and updated documents.

SOL4602: Overview of the F5 security vulnerability response policy

SOL4918: Overview of the F5 critical issue hotfix policy

SOL167: Downloading software and firmware from F5

SOL13123: Managing BIG-IP product hotfixes (11.x)

SOL10025: Managing BIG-IP product hotfixes (10.x)

SOL9502: BIG-IP hotfix matrix

SOL10322: FirePass hotfix matrix

SOL12766: ARX hotfix matrix

SOL3430: Installing FirePass hotfixes

SOL6664: Obtaining and installing OPSWAT hotfixes

SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems

- ----------------------------------------------------------------------------

SOL15500: SSL acceleration card timing vulnerability CVE-2014-4024

Security Advisory

Original Publication Date: 09/05/2014

Description

Researchers discovered a timing security vulnerability in the way a 
third-party component shipped with the BIG-IP system handles SSL records. 
(CVE-2014-4024 pending)

Impact

Under very specific conditions, BIG-IP devices with third-party SSL 
accelerator cards may be vulnerable to SSL/TLS side channel timing 
vulnerability attacks.

Note: BIG-IP FIPS devices are not vulnerable.

Status

F5 Product Development has assigned ID 435652 to this vulnerability, and has 
evaluated the currently supported releases for potential vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product 			Versions known to be vulnerable 		Versions known to be not vulnerable 		Vulnerable component or feature

BIG-IP LTM 			11.0.0 - 11.5.1, 10.0.0 - 10.2.4		11.6.0						SSL virtual servers

BIG-IP AAM 			11.4.0 - 11.5.1					11.6.0 						SSL virtual servers

BIG-IP AFM 			11.3.0 - 11.5.1					11.6.0						SSL virtual servers

BIG-IP Analytics 		11.0.0 - 11.5.1					11.6.0						SSL virtual servers

BIG-IP APM 			11.0.0 - 11.5.1, 10.1.0 - 10.2.4		11.6.0						SSL virtual servers

BIG-IP ASM 			11.0.0 - 11.5.1, 10.0.0 - 10.2.4		11.6.0						SSL virtual servers

BIG-IP Edge Gateway		11.0.0 - 11.3.0, 10.1.0 - 10.2.4 		None 						SSL virtual servers 

BIG-IP GTM 			11.0.0 - 11.5.1, 10.0.0 - 10.2.4 		11.6.0 						None 

BIG-IP Link Controller 		11.0.0 - 11.5.1 , 10.0.0 - 10.2.4 		11.6.0 						SSL virtual servers 

BIG-IP PEM 			11.3.0 - 11.5.1 				11.6.0						SSL virtual servers 

BIG-IP PSM 			11.0.0 - 11.4.1, 10.0.0 - 10.2.4 		None 						SSLvirtual servers 

BIG-IP WebAccelerator 		11.0.0 - 11.3.0, 10.0.0 - 10.2.4 		None 						SSL virtual servers 

BIG-IP WOM 			11.0.0 - 11.3.0, 10.0.0 - 10.2.4 		None 						SSL virtual servers
 
ARX 				None 						6.0.0 - 6.4.0					None 

Enterprise Manager 		None 						3.0.0 - 3.1.1, 2.1.0 - 2.3.0 			None 

FirePass 			None						7.0.0, 6.0.0 - 6.1.0 				None 

BIG-IQ Cloud 			None 						4.0.0 - 4.3.0 					None 

BIG-IQ Device 			None 						4.2.0 - 4.3.0 					None 

BIG-IQ Security 		None 						4.0.0 - 4.3.0 					None 


Recommended action

If the previous table lists a version in the Versions known to be not 
vulnerable column, you can eliminate this vulnerability by upgrading to the 
listed version. If the table does not list any version in the column, then no
upgrade candidate currently exists.

To mitigate the risk posed by this vulnerability, ensure that BIG-IP devices 
are deployed in a secure local-area network environment and monitor for any 
suspicious activity around your local-area network. Illicit clients should be
denied access to the local-area network immediately.

Acknowledgments

F5 would like to acknowledge the following individuals for bringing this issue
to our attention, and for following the highest standards of responsible 
disclosure:

Christopher Meyer, Juraj Somorovsky, Eugen Weiss, and Jrg Schwenk of 
Ruhr-University Bochum Sebastian Schinzel of Mnster University of Applied 
Sciences Erik Tews of Technische Universitt Darmstadt Supplemental Information

SOL7778: BIG-IP hardware SSL and compression cards SOL9970: Subscribing to 
email notifications regarding F5 products SOL9957: Creating a custom RSS feed
to view new and updated documents SOL4602: Overview of the F5 security 
vulnerability response policy SOL4918: Overview of the F5 critical issue 
hotfix policy SOL167: Downloading software and firmware from F5 SOL13123: 
Managing BIG-IP product hotfixes (11.x)

- ------------------------------------------------------------------------------

SOL15567: OpenSSL vulnerability CVE-2014-5139 

Security Advisory

Advisory Original Publication Date: 09/05/2014 

Description 

The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i 
allows remote SSL servers to cause a denial of service (NULL pointer 
dereference and client application crash) via a ServerHello message that 
includes an SRP ciphersuite without the required negotiation of that 
ciphersuite with the client. (CVE-2014-5139) 

Impact 

An attacker may be able to cause a denial-of-service (DoS) attack by specifying 
a Secure Remote Password (SRP) ciphersuite, even if it was not properly negotiated 
with the client. 

Status

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product		 Versions known to be vulnerable	Versions known to be not vulnerable 		Vulnerable component or feature 

BIG-IP LTM 	 None 					11.0.0 - 11.6.0 10.0.0 - 10.2.4 		None 

BIG-IP AAM 	 None 					11.4.0 - 11.6.0 				None 

BIG-IP AFM 	 None 					11.3.0 - 11.6.0 				None 

BIG-IP Analytics None 					11.0.0 - 11.6.0 				None 

BIG-IP APM 	 None 					11.0.0 - 11.6.0, 10.1.0 - 10.2.4 		None 

BIG-IP ASM 	 None 					11.0.0 - 11.6.0 10.0.0 - 10.2.4			None 

BIG-IP Edge  	 None 					11.0.0 - 11.3.0 10.1.0 - 10.2.4 		None 
Gateway

BIG-IP GTM	 None 					11.0.0 - 11.6.0, 10.0.0 - 10.2.4 		None 

BIG-IP Link  	 None 					11.0.0 - 11.6.0, 10.0.0 - 10.2.4 		None 
Controller

BIG-IP PEM 	 None 					11.3.0 - 11.6.0 				None 

BIG-IP PSM 	 None 					11.0.0 - 11.4.1 10.0.0 - 10.2.4 		None 

BIG-IP  	 None 					11.0.0 - 11.3.0, 10.0.0 - 10.2.4 		None 
WebAccelerator

BIG-IP WOM 	 None 					11.0.0 - 11.3.0, 10.0.0 - 10.2.4 		None 

ARX 		 None 					6.0.0 - 6.4.0 					None 

Enterprise 	 None 					3.0.0 - 3.1.1, 2.1.0 - 2.3.0 			None 
Manager

FirePass 	None 					7.0.0 6.0.0 - 6.1.0 				None 

BIG-IQ Cloud 	None 					4.0.0 - 4.3.0 					None 

BIG-IQ Device 	None 					4.2.0 - 4.3.0 					None 

BIG-IQ Security None 					4.0.0 - 4.3.0 					None 

LineRate 	2.4.0, 2.3.0 - 2.3.2, 2.2.0 - 2.2.4 	2.4.1, 2.3.2, 2.2.5 				OpenSSL 

Recommended Action

If the previous table lists a version in the Versions known to be not 
vulnerable column, you can eliminate this vulnerability by upgrading to the 
listed version. If the table does not list any version in the column, then no
upgrade candidate currently exists.

To mitigate this vulnerability on LineRate systems, do not enable SRP. SRP is
not enabled by default.

Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products SOL9957: 
Creating a custom RSS feed to view new and updated documents. SOL4602: 
Overview of the F5 security vulnerability response policy SOL4918: Overview of
the F5 critical issue hotfix policy SOL167: Downloading software and firmware
from F5

- ------------------------------------------------------------------------------

SOL15568: OpenSSL vulnerability CVE-2014-3510 

Security Advisory

Original Publication Date: 09/05/2014 

Description 

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 
0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS 
servers to cause a denial of service (NULL pointer dereference and client 
application crash) via a crafted handshake message in conjunction with a (1) 
anonymous DH or (2) anonymous ECDH ciphersuite. (CVE-2014-3510)

Impact 

A malicious server may be able to cause a denial-of-service (DoS) to 
clients using anonymous Diffie-Hellman (DH) ciphersuites via crafted packets.

Status

F5 Product Development has assigned ID 474757 (BIG-IP) to this vulnerability,
and has evaluated the currently supported releases for potential 
vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product 		Versions known to be vulnerable 	Versions known to be not vulnerable		Vulnerable component or feature 

BIG-IP LTM 		11.0.0 - 11.3.0, 10.1.0 - 10.2.4	11.4.0 - 11.6.0 				COMPAT SSL ciphers 

BIG-IP AAM 		None 					11.4.0 - 11.6.0 				None 

BIG-IP AFM 		11.3.0					11.4.0 - 11.6.0 				COMPAT SSL ciphers 

BIG-IP Analytics 	11.0.0 - 11.3.0				11.4.0 - 11.6.0 				COMPAT SSL ciphers 

BIG-IP APM 		11.0.0 - 11.3.0, 10.1.0 - 10.2.4	11.4.0 - 11.6.0 				COMPAT SSL ciphers 

BIG-IP ASM 		11.0.0 - 11.3.0, 10.1.0 - 10.2.4	11.4.0 - 11.6.0 				COMPAT SSL ciphers 

BIG-IP Edge Gateway 	11.0.0 - 11.3.0, 10.1.0 - 10.2.4 	11.4.0 - 11.6.0 				COMPAT SSL ciphers 

BIG-IP GTM 		None 					11.0.0 - 11.6.0, 10.1.0 - 10.2.4 		None 

BIG-IP Link Controller  None 					11.0.0 - 11.6.0, 10.1.0 - 10.2.4 		None 

BIG-IP PEM 		11.3.0 					11.4.0 - 11.6.0 				COMPAT SSL ciphers 

BIG-IP PSM 		11.0.0 - 11.3.0, 10.1.0 - 10.2.4 	11.4.0, 11.4.1 					COMPAT SSL ciphers 

BIG-IP WebAccelerator 	11.0.0 - 11.3.0, 10.1.0 - 10.2.4 	None 						COMPAT SSL ciphers 

BIG-IP WOM 		11.0.0 - 11.3.0, 10.1.0 - 10.2.4 	None 						COMPAT SSL ciphers 

ARX 			None 					6.2.0 - 6.4.0 					None 

Enterprise Manager 	None 					3.0.0 - 3.1.1, 2.1.0 - 2.3.0 			None 

FirePass 		None 					7.0.0, 6.1.0 					None 

BIG-IQ Cloud 		None 					4.0.0 - 4.3.0 					None 

BIG-IQ Device 		None					4.2.0, 4.3.0 					None 

BIG-IQ Security 	None 					4.0.0 - 4.3.0 					None 

LineRate 		None 					2.4.0- 2.4.1, 2.3.0 - 2.3.3, 2.2.0 - 2.2.6, 	None 
								1.6.0 - 1.6.4
FirePass Clients 	None 					5520 - 6032 					None 

BIG-IP Edge Portal  	None 					1.0.0 - 1.0.3 					None 
for iOS

BIG-IP Edge Portal  	None 					1.0.0 - 1.0.2 					None 
for Android

BIG-IP Edge Clients   	2.0.0 - 2.0.5 				None 						VPN
for Android  

BIG-IP Edge Clients   	2.0.0 - 2.0.2, 1.0.5 - 1.0.6 		None 						VPN 
for Apple iOS 

BIG-IP Edge Clients  	6500 - 7110 				6035.* 						VPN 
for Linux

BIG-IP Edge Clients  	6500 - 7110 				6035.* 						VPN 
for MAC OS X

BIG-IP Edge Clients 
for Windows 		6500 - 7110 				6035.* 						VPN 


Recommended Action

You can eliminate this vulnerability by running a version listed in the 
Versions known to be not vulnerable column in the previous table. If the 
Versions known to be not vulnerable column does not list a version that is 
later than the version you are running, then no upgrade candidate currently 
exists.

For BIG-IP Edge Clients, there is no workaround. To mitigate this 
vulnerability for all other affected products, perform the following task:

Verify that Datagram Transport Layer Security (DTLS) virtual servers 
referencing Secure Socket Layer (SSL) profiles do not permit COMPAT SSL 
ciphers. Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products SOL9957: 
Creating a custom RSS feed to view new and updated documents. SOL4602: 
Overview of the F5 security vulnerability response policy SOL4918: Overview of
the F5 critical issue hotfix policy SOL167: Downloading software and firmware
from F5

- -----------------------------------------------------------------------------

SOL15541: OpenSSL vulnerability CVE-2014-3509 

Security Advisory

Original Publication Date: 09/05/2014 

Description 

Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in 
OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and 
session resumption are used, allows remote SSL servers to cause a denial of 
service (memory overwrite and client application crash) or possibly have 
unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats 
Extension data. (CVE-2014-3509) 

Impact 

None. F5 products are not affected by this vulnerability.


Recommended Action

None

Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products SOL9957: 
Creating a custom RSS feed to view new and updated documents. SOL4602: 
Overview of the F5 security vulnerability response policy SOL4918: Overview of
the F5 critical issue hotfix policy

- --------------------------------------------------------------------------------

SOL15571: OpenSSL vulnerability CVE-2014-3508 

Security Advisory

Original Publication Date: 09/05/2014 

Description 

The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 
0.9.8zb,1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is 
used, does not ensure the presence of '\0' characters, which allows context-
dependent attackers to obtain sensitive information from process stack memory 
by reading output from X509_name_oneline, X509_name_print_ex, and unspecified 
other functions. (CVE-2014-3508) Impact Applications may be affected if they 
use pretty printing to echo output to the attacker. OpenSSL SSL/TLS clients 
and servers themselves are not affected. 

Status

F5 Product Development has assigned ID 474757 (LineRate) and ID 410742 (ARX) 
to this vulnerability, and has evaluated the currently supported releases for
potential vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product 		Versions known to be vulnerable 		Versions known to be not vulnerable		Vulnerable component or feature 

BIG-IP LTM 		None 						11.0.0 - 11.6.0 10.0.0 - 10.2.4 		None 

BIG-IP AAM 		None 						11.4.0 - 11.6.0 				None 

BIG-IP AFM 		None 						11.3.0 - 11.6.0 				None 

BIG-IP Analytics 	None 						11.0.0 - 11.6.0 				None 

BIG-IP APM 		None 						11.0.0 - 11.6.0, 10.1.0 - 10.2.4 		None 

BIG-IP ASM 		None 						11.0.0 - 11.6.0, 10.0.0 - 10.2.4		None 

BIG-IP Edge Gateway 	None 						11.0.0 - 11.3.0, 10.1.0 - 10.2.4 		None 

BIG-IP GTM		None 						11.0.0 - 11.6.0, 10.0.0 - 10.2.4 		None 

BIG-IP Link Controller  None 						11.0.0 - 11.6.0, 10.0.0 - 10.2.4 		None 

BIG-IP PEM 		None 						11.3.0 - 11.6.0 				None 

BIG-IP PSM 		None 						11.0.0 - 11.4.1, 10.0.0 - 10.2.4 		None 

BIG-IP WebAccelerator 	None 						11.0.0 - 11.3.0, 10.0.0 - 10.2.4 		None 

BIG-IP WOM 		None 						11.0.0 - 11.3.0, 10.0.0 - 10.2.4 		None 

ARX 			6.0.0 - 6.4.0 					None 						Configuration utility 

Enterprise Manager 	None						3.0.0 - 3.1.1, 2.1.0 - 2.3.0 			None 

FirePass 		None 						7.0.0, 6.0.0 - 6.1.0 				None 

BIG-IQ Cloud 		None 						4.0.0 - 4.3.0 					None 

BIG-IQ Device 		None 						4.2.0 - 4.3.0 					None 

BIG-IQ Security 	None 						4.0.0 - 4.3.0 					None 

LineRate 		2.4.0, 2.3.0 - 2.3.1 				2.2.0 - 2.2.4, 2.4.1, 2.3.2, 2.2.5 		Command-line interface 

BIG-IP Edge Clients	None						2.0.0 - 2.0.5 					None 
for Android  

BIG-IP Edge Clients  	None 						2.0.0 - 2.0.2, 1.0.5 - 1.0.6 			None
for Apple iOS

BIG-IP Edge Clients  	None 						6035.* - 7110.* 				None 
for Linux 

BIG-IP Edge Clients  	None 						6035.* - 7110.* 				None 
for MAC OS X	

BIG-IP Edge Clients     None 						6035.* - 7110.* 				None
for Windows  

BIG-IP Edge Portal  	None 						1.0.0 -1.0.2 					None 
for Android

BIG-IP Edge Portal  	None 						1.0.0 - 1.0.3 					None 
for Apple iOS

Recommended Action

If the previous table lists a version in the Versions known to be not 
vulnerable column, you can eliminate this vulnerability by upgrading to the 
listed version. If the table does not list any version in the column, then no
upgrade candidate currently exists.

Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products SOL9957: 
Creating a custom RSS feed to view new and updated documents SOL4602: Overview
of the F5 security vulnerability response policy SOL4918: Overview of the F5 
critical issue hotfix policy

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVA1FlhLndAQH1ShLAQIpvhAAhdkh0NOfeTtOzmjsggC0wUCUOEVccK9r
5oib8Z9GVUAYxuOHQ+N5e452Y7PvxaWSFq6YgEcqgCjY5P2hYV7Ww2rkgjPr+IBT
RE2j/Plkrjjwt0XzYnMJV3lyAZLIyYMhiW+rPWUuO3IL2i0BI6by7GXq5UaC+I1Y
eqchYDCMR9S3grIuLaVvPtGya7c27tx+5HWl+fkP44HNXZVASE0B0RMowoNjWN4W
YFlowe7PKaKTUrYTS32QqxpK0k9TnG/10hj3mdi1YVLvGexRe5/dYdOYGH+woYMZ
9QxOGbY+V2XM9uEE0bEoqMqe2mdqzBxHtf1TKMI7+jFDJVUClYRugEZwU8I6Qgov
WuNpgzAxEJfbaHpDekMZovpEzQzsm7mAFiIigxnSHwtTrMpwg8gcSxdc7Gv2Bwtj
QSm4Tq/Dmj9dnBsGd12e/mnfwR9pKTLiBQsFFqy+/iqa3yxbMs+N9iReDswL5jv5
As1GiN2R4jb3cz06xUADy2sAYPuCoJIwhCEwLyvG4/rlLYhcnIbrIEeK7uP3mmnG
Kvoirg9JIspnlhZF28haix87X6WGxxvOtM+LFFultcKqcysueqMVR9T5N6wmKN4T
xdIEjRHrr7CbpcmmIAuHSFvrAuL7c+KIqP+wOQmatp+AVRc/c68eB5EUTOLqK3g2
2HG9brTad2g=
=nRnG
-----END PGP SIGNATURE-----