-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1670
                K42891424: Grep vulnerability CVE-2015-1345
                                3 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Grep
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-1345  

Reference:         ESB-2016.0128
                   ESB-2015.2870
                   ESB-2015.1924

Original Bulletin: 
   https://support.f5.com/csp/article/K42891424

- --------------------------BEGIN INCLUDED TEXT--------------------

K42891424: Grep vulnerability CVE-2015-1345

Security Advisory

Original Publication Date: Jun 29, 2017

Applies to (see versions):

The vulnerability described in this article has been resolved, or does not 
affect any F5 products. There will be no further updates, unless new 
information is discovered.

Security Advisory Description

The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local 
users to cause a denial of service (out-of-bounds heap read and crash) via 
crafted input when using the -F option. (CVE-2015-1345)

Impact

A local user may cause a denial-of-service (DoS) by way of crafted input when
using the -F option.

Security Advisory Status

F5 Product Development has assigned ID 537582 (BIG-IP) and ID LRS-61265 
(LineRate) to this vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product 			Versions known to be vulnerable 	Versions known to be not vulnerable	Severity 	Vulnerable component or feature

BIG-IP LTM 			12.0.0 					13.0.0					Low 		grep utility

									12.1.0 - 12.1.2

									11.4.0 - 11.6.1

									11.2.1 

BIG-IP AAM 			12.0.0 					13.0.0					Low 		grep utility

									12.1.0 - 12.1.2

									11.4.0 - 11.6.1 

BIG-IP AFM 			12.0.0 					13.0.0					Low 		grep utility

									12.1.0 - 12.1.2

									11.4.0 - 11.6.1 

BIG-IP Analytics 		12.0.0 					13.0.0					Low 		grep utility

									12.1.0 - 12.1.2

									11.4.0 - 11.6.1

									11.2.1 

BIG-IP APM 			12.0.0 					13.0.0					Low 		grep utility

									12.1.0 - 12.1.2

									11.4.0 - 11.6.1

									11.2.1 					

BIG-IP ASM 			12.0.0 					13.0.0					Low 		grep utility

									12.1.0 - 12.1.2

									11.4.0 - 11.6.1

									11.2.1 

BIG-IP DNS 			12.0.0 					13.0.0

									12.1.0 - 12.1.2 			Low 		grep utility

BIG-IP Edge Gateway 		None 					11.2.1 					Not vulnerable	 None

BIG-IP GTM 			None 					11.4.0 - 11.6.1

									11.2.1 					Not vulnerable 	None

BIG-IP Link Controller 		12.0.0 					13.0.0					Low 		grep utility

									12.1.0 - 12.1.2

									11.4.0 - 11.6.1

									11.2.1 		

BIG-IP PEM 			12.0.0 					13.0.0					Low 		grep utility


									12.1.0 - 12.1.2

									11.4.0 - 11.6.1 
BIG-IP PSM 			None 					11.4.0 - 11.4.1 			Not vulnerable 	None

BIG-IP WebAccelerator 		None 					11.2.1 					Not vulnerable 	None

BIG-IP WebSafe 			12.0.0 					13.0.0					Low 		grep utility

									12.1.0 - 12.1.2

									11.6.0 - 11.6.1 			

ARX 				None 					6.2.0 - 6.4.0 				Not vulnerable 	None

Enterprise Manager 		None 					3.1.1 					Not vulnerable 	None

BIG-IQ Cloud 			None 					4.4.0 - 4.5.0 				Not vulnerable 	None

BIG-IQ Device 			None 					4.4.0 - 4.5.0 				Not vulnerable 	None

BIG-IQ Security 		None 					4.4.0 - 4.5.0 				Not vulnerable 	None

BIG-IQ ADC 			None 					4.5.0 					Not vulnerable 	None

BIG-IQ Centralized Management 	None 					5.0.0 - 5.2.0				Not vulnerable 	None

									4.6.0 					

BIG-IQ Cloud and Orchestration 	None 					1.0.0 					Not vulnerable 	None

F5 iWorkflow 			None 					2.0.0 - 2.2.0 				Not vulnerable 	None

LineRate 			2.5.0 - 2.6.2 				None 					Low 		grep utility

Traffix SDC 			None 					5.0.0 - 5.1.0				Not 		vulnerable None


									4.0.0 - 4.4.0 
Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable 
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a 
non-vulnerable version, then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability for BIG-IP systems, you should ensure that any
regex used with the grep utility is not subject to control by an attacker. F5
recommends that you permit management access to F5 products only over a secure
network and restrict command line access for affected systems to only trusted
users. For more information, refer to K13309: Restricting access to the 
Configuration utility by source IP address (11.x) and K13092: Overview of 
securing access to the BIG-IP system.

Impact of action: Performing the suggested mitigation should not have a 
negative impact on your system.

To mitigate this vulnerability for LineRate systems, you should avoid running
LineRate on a hypervisor-based system, as this is the only way to exploit this
vulnerability on a LineRate system.

Impact of action: Performing the suggested mitigation should not have a 
negative impact on your system.

Supplemental Information

K9970: Subscribing to email notifications regarding F5 products

K9957: Creating a custom RSS feed to view new and updated documents

K4602: Overview of the F5 security vulnerability response policy

K4918: Overview of the F5 critical issue hotfix policy

K167: Downloading software and firmware from F5

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWVnKe4x+lLeg9Ub1AQhlbg//eq+xPydIZ6OV/cZ8g5s1B1IVZKoxIEAE
HgbuUSBd5RMCyZMbI1rAf5yhxg0ozaiLR1/q5tOPpWm84I4ulSvXZJTHYMVnqnE/
SzM4rvgTQvJRsdabf6WkYyU66T+H7B0mqKGXR5JF4rrRes1QU4KulCFSRzWdSSJN
3TxhKzL7MOAqaehv/AqqTA3ldE2vBbs4mkN446IiIqqf7Z20K25fobZ5UXkf1cBC
2g6CgRpMmqfrUNURdxaOTy7VN+mPboPTNW+tzQDatzR28vAvUU22e3PT/gcSzU5l
qbxH+HwCF6naxXVEvwXf8thEuyrN0zkJDZdCsJ8wpG4Ehsl09Je4vZG5VKtmVJmV
jaoGvFOmrFj7EuScUk/t6f1jb3AooMqyeVLIlvOMM7UtXhPiF6eoeL96fKb74fEu
5O9wUlgNa26tOTk9XEgzc0K/ILyGX/WtdGTZWipmByt8hB4hjD59RlbN8bgVu/CU
7J5pTuggDiBtEQ51gIoE6O4mmtvkquSZdPMxrstaFRV6TbXxro/whNjFYjvYdnh5
ymomdC9YFNf7BYGMItsfVmCqb9DygQ14oyCYZhwP4hqzX6WwB0sJnPJDjU+jK8to
tTAl2iC5VYIwq6+WWn0HNSdTcXSsYme9d7A/zjDKCi2rNO7jDUmZWGVhNp+yoRbo
RFYEdRbZPGY=
=c1FF
-----END PGP SIGNATURE-----