Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2790 F5 Security Advisory : Linux kernel vulnerability (CVE-2015-2830, CVE-2016-5829, CVE-2016-4470, CVE-2015-7872) 2 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 Products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Root Compromise -- Existing Account Denial of Service -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-5829 CVE-2016-4470 CVE-2015-7872 CVE-2015-2830 Reference: ASB-2016.0089 ASB-2016.0017 ESB-2017.0456 ESB-2017.0273 ESB-2016.2602 ESB-2016.2592 ESB-2016.2561 ESB-2016.2551 Original Bulletin: https://support.f5.com/csp/article/K17462 https://support.f5.com/csp/article/K94105604 https://support.f5.com/csp/article/K55672042 https://support.f5.com/csp/article/K28056114 Comment: This bulletin contains four (4) F5 Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- K17462: Linux kernel vulnerability CVE-2015-2830 Security Advisory Original Publication Date: Oct 20, 2015 Updated Date: Nov 01, 2017 Applies to (see versions): o Product: BIG-IQ, BIG-IQ Cloud, BIG-IQ Device, BIG-IQ Security, BIG-IQ ADC, BIG-IQ Centralized Management 5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0 o Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP GTM, BIG-IP Link Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP PSM, BIG-IP WebAccelerator, BIG-IP WOM 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.3.0, 11.2.1, 11.2.0, 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0 o Product: Enterprise Manager 3.1.1, 3.1.0, 3.0.0 o Product: F5 iWorkflow 2.3.0, 2.2.0, 2.1.0, 2.0.2, 2.0.1, 2.0.0 o Product: LineRate 2.6.2, 2.6.1, 2.6.0, 2.5.3, 2.5.2, 2.5.1, 2.5.0 o Product: ARX, ARX 6.4.0, 6.3.0, 6.2.0, 6.1.1, 6.1.0, 6.0.0 o Product: FirePass 7.0.0, 6.1.0, 6.0.3, 6.0.2, 6.0.1, 6.0.0 o Product: F5 WebSafe 1.0.0 o Product: Traffix SDC 5.1.0, 5.0.0, 4.4.0, 4.1.0, 4.0.5, 4.0.2, 4.0.0, 3.5.1, 3.4.1, 3.3.2 o Product: BIG-IQ Cloud and Orchestration 1.0.0 Security Advisory Description arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16. (CVE-2015-2830) Impact An authenticated attacker may be able to cause an escalation of privileges through a crafted application that uses the fork or close system call. Security Advisory Status F5 Product Development has assigned ID 533413 (BIG-IP), ID 542392 (BIG-IQ), and ID 542393 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, BIG-IP iHealth may list Heuristic H552758 on the Diagnostics > Identified > Low screen. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: +---------------+----------------+-----------------+----------+----------------+ | |Versions known |Versions known to| |Vulnerable | |Product |to be vulnerable|be not vulnerable|Severity |component or | | | | | |feature | +---------------+----------------+-----------------+----------+----------------+ | |12.0.0 |13.0.0 | | | | |11.6.0 - 11.6.1 |12.1.0 - 12.1.2 | | | |BIG-IP LTM |11.0.0 - 11.5.4 |12.0.0 HF1 |Low |Linux kernel | | |10.1.0 - 10.2.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 |12.1.0 - 12.1.2 | | | |BIG-IP AAM |11.6.0 - 11.6.1 |12.0.0 HF1 |Low |Linux kernel | | |11.4.0 - 11.5.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 |12.1.0 - 12.1.2 | | | |BIG-IP AFM |11.6.0 - 11.6.1 |12.0.0 HF1 |Low |Linux kernel | | |11.3.0 - 11.5.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | |BIG-IP |12.0.0 |12.1.0 - 12.1.2 | | | |Analytics |11.6.0 - 11.6.1 |12.0.0 HF1 |Low |Linux kernel | | |11.0.0 - 11.5.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 |12.1.0 - | | | |BIG-IP APM |11.6.1 - 11.6.1 |12.1.2 |Low |Linux kernel | | |11.0.0 - 11.5.4 |12.0.0 HF1 | | | | |10.1.0 - 10.2.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 |12.1.0 - | | | |BIG-IP ASM |11.6.1 - 11.6.1 |12.1.2 |Low |Linux kernel | | |11.0.0 - 11.5.4 |12.0.0 HF1 | | | | |10.1.0 - 10.2.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | |BIG-IP DNS |12.0.0 |12.1.0 - 12.1.2 |Low |Linux kernel | | | |12.0.0 HF1 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP Edge |11.0.0 - 11.3.0 |None |Low |Linux kernel | |Gateway |10.1.0 - 10.2.4 | | | | +---------------+----------------+-----------------+----------+----------------+ | |11.6.0 - 11.6.1 |11.6.2 | | | |BIG-IP GTM |11.0.0 - 11.5.4 |11.5.5 |Low |Linux kernel | | |10.1.0 - 10.2.4 | | | | +---------------+----------------+-----------------+----------+----------------+ | |12.0.0 |13.0.0 | | | |BIG-IP Link |11.6.0 - 11.6.1 |12.1.0 - 12.1.2 | | | |Controller |11.0.0 - 11.5.4 |12.0.0 HF1 |Low |Linux kernel | | |10.1.0 - 10.2.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 |12.1.0 - 12.1.2 | | | |BIG-IP PEM |11.6.0 - 11.6.1 |12.0.0 HF1 |Low |Linux kernel | | |11.3.0 - 11.5.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP PSM |11.0.0 - 11.4.1 |None |Low |Linux kernel | | |10.1.0 - 10.2.4 | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP |11.0.0 - 11.3.0 |None |Low |Linux kernel | |WebAccelerator |10.1.0 - 10.2.4 | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP WOM |11.0.0 - 11.3.0 |None |Low |Linux kernel | | |10.1.0 - 10.2.4 | | | | +---------------+----------------+-----------------+----------+----------------+ |ARX |None |6.0.0 - 6.4.0 |Not |None | | | | |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |Enterprise |3.0.0 - 3.1.1 |None |Low |Linux kernel | |Manager | | | | | +---------------+----------------+-----------------+----------+----------------+ |FirePass |None |7.0.0 |Not |None | | | |6.0.0 - 6.1.0 |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Cloud |4.0.0 - 4.5.0 |None |Low |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Device |4.2.0 - 4.5.0 |None |Low |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Security|4.0.0 - 4.5.0 |None |Low |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ ADC |4.5.0 |None |Low |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ |5.0.0 - 5.1.0 | | | | |Centralized |4.6.0 |5.2.0 - 5.3.0 |Low |Linux kernel | |Management | | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Cloud | | | | | |and |1.0.0 |None |Low |Linux kernel | |Orchestration | | | | | +---------------+----------------+-----------------+----------+----------------+ |F5 iWorkflow |2.0.0 - 2.0.2 |2.1.0 - 2.3.0 |Low |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |LineRate |None |2.5.0 - 2.6.2 |Not |None | | | | |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |F5 WebSafe |None |1.0.0 |Not |None | | | | |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ | | |5.0.0 - 5.1.0 |Not | | |Traffix SDC |None |4.0.0 - 4.4.0 |vulnerable|None | | | |3.3.2 - 3.5.1 | | | +---------------+----------------+-----------------+----------+----------------+ Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. To mitigate this vulnerability for affected F5 products, you should permit management access to F5 products only over a secure network, and limit shell access to only trusted users. For more information about securing access to BIG-IP/Enterprise Manager systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x - 13.x) and K13092: Overview of securing access to the BIG-IP system. Supplemental Information o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K4918: Overview of the F5 critical issue hotfix policy o K167: Downloading software and firmware from F5 o K4602: Overview of the F5 security vulnerability response policy =============================================================================== K28056114: Linux kernel vulnerability CVE-2016-5829 Security Advisory Original Publication Date: Oct 22, 2016 Updated Date: Nov 01, 2017 Applies to (see versions): o Product: BIG-IQ, BIG-IQ Cloud, BIG-IQ Device, BIG-IQ Security, BIG-IQ ADC, BIG-IQ Centralized Management 5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0 o Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP GTM, BIG-IP Link Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP PSM, BIG-IP WebAccelerator, BIG-IP WOM 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1, 10.2.4, 10.2.3, 10.2.2, 10.2.1 o Product: Enterprise Manager 3.1.1 o Product: F5 iWorkflow 2.3.0, 2.2.0, 2.1.0, 2.0.2, 2.0.1, 2.0.0 o Product: LineRate 2.6.1, 2.6.0, 2.5.2, 2.5.1, 2.5.0 o Product: ARX, ARX 6.4.0, 6.3.0, 6.2.0 o Product: F5 WebSafe 1.0.0 o Product: Traffix SDC 4.4.0, 4.1.0, 4.0.5, 4.0.2, 4.0.0 o Product: BIG-IQ Cloud and Orchestration 1.0.0 Security Advisory Description Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. (CVE-2016-5829) Impact This vulnerability can allow a local user to corrupt kernel memory, potentially escalate their privileges, or cause the system to stop responding. Security Advisory Status F5 Product Development has assigned IDs 622495 and 622496 (BIG-IP), ID 622257 (BIG-IQ and F5 iWorkflow), ID 622259 (Enterprise Manager), and INSTALLER-2785 (Traffix SDC) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H624273 on the Diagnostics > Identified > Medium screen. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: +---------------+----------------+-----------------+----------+----------------+ | |Versions known |Versions known to| |Vulnerable | |Product |to be vulnerable|be not vulnerable|Severity |component or | | | | | |feature | +---------------+----------------+-----------------+----------+----------------+ | |12.0.0 - 12.1.2 |13.0.0 | | | |BIG-IP LTM |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel | | |11.2.1 |11.6.2 | | | | |10.2.1 - 10.2.4 |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | |BIG-IP AAM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel | | |11.4.0 - 11.6.1 |11.6.2 | | | | | |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | |BIG-IP AFM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel | | |11.4.0 - 11.6.1 |11.6.2 | | | | | |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ | |12.0.0 - 12.1.2 |13.0.0 | | | |BIG-IP |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel | |Analytics |11.2.1 |11.6.2 | | | | | |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ | |12.0.0 - 12.1.2 |13.0.0 | | | |BIG-IP APM |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel | | |11.2.1 |11.6.2 | | | | |10.2.1 - 10.2.4 |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ | |12.0.0 - 12.1.2 |13.0.0 | | | |BIG-IP ASM |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel | | |11.2.1 |11.6.2 | | | | |10.2.1 - 10.2.4 |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP DNS |12.0.0 - 12.1.2 |13.0.0 |Medium |Linux kernel | | | |12.1.2 HF1 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP Edge |11.2.1 |None |Medium |Linux kernel | |Gateway |10.2.1 - 10.2.4 | | | | +---------------+----------------+-----------------+----------+----------------+ | |11.4.0 - 11.6.1 |11.6.2 | | | |BIG-IP GTM |11.2.1 |11.5.4 HF3 |Medium |Linux kernel | | |10.2.1 - 10.2.4 | | | | +---------------+----------------+-----------------+----------+----------------+ | |12.0.0 - 12.1.2 |13.0.0 | | | |BIG-IP Link |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel | |Controller |11.2.1 |11.6.2 | | | | |10.2.1 - 10.2.4 |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | |BIG-IP PEM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel | | |11.4.0 - 11.6.1 |11.6.2 | | | | | |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP PSM |11.4.0 - 11.4.1 |None |Medium |Linux kernel | | |10.2.1 - 10.2.4 | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP |11.2.1 |None |Medium |Linux kernel | |WebAccelerator |10.2.1 - 10.2.4 | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP WOM |11.2.1 |None |Medium |Linux kernel | | |10.2.1 - 10.2.4 | | | | +---------------+----------------+-----------------+----------+----------------+ | |12.0.0 - 12.1.2 |13.0.0 | | | |BIG-IP WebSafe |11.6.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel | | | |11.6.2 | | | +---------------+----------------+-----------------+----------+----------------+ |ARX |None |6.2.0 - 6.4.0 |Not |None | | | | |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |Enterprise |3.1.1 |None |Medium |Linux kernel | |Manager | | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Cloud |4.0.0 - 4.5.0 |None |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Device |4.2.0 - 4.5.0 |None |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Security|4.0.0 - 4.5.0 |None |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ ADC |4.5.0 |None |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ |5.0.0 - 5.1.0 | | | | |Centralized |4.6.0 |5.2.0 - 5.3.0 |Medium |Linux kernel | |Management | | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Cloud | | | | | |and |1.0.0 |None |Medium |Linux kernel | |Orchestration | | | | | +---------------+----------------+-----------------+----------+----------------+ |F5 iWorkflow |2.0.0 - 2.0.2 |2.1.0 - 2.3.0 |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |LineRate |None |2.5.0 - 2.6.1 |Not |None | | | | |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |Traffix SDC |5.0.0 |None |Low |Linux kernel | | |4.0.0 - 4.4.0 | | | | +---------------+----------------+-----------------+----------+----------------+ Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. To determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems . Mitigation To mitigate this vulnerability, you should consider the following recommendations: o Permit management access to F5 products only over a secure network, and limit shell access to only trusted users. For more information about securing access to BIG-IP and Enterprise Manager systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x - 13.x) and K13092: Overview of securing access to the BIG-IP system. o Lock down management port access and configure the self IP port lockdown feature to disallow unneeded ports on all self IP addresses. For more information, refer to K13250: Overview of port lockdown behavior (10.x - 11.x) or K17333: Overview of port lockdown behavior (12.x - 13.x). Supplemental Information o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy =============================================================================== K55672042: Linux kernel vulnerability CVE-2016-4470 Security Advisory Original Publication Date: Oct 23, 2016 Updated Date: Nov 01, 2017 Applies to (see versions): o Product: BIG-IQ, BIG-IQ Cloud, BIG-IQ Device, BIG-IQ Security, BIG-IQ ADC, BIG-IQ Centralized Management 5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0 o Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP GTM, BIG-IP Link Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP PSM, BIG-IP WebAccelerator, BIG-IP WOM 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1, 10.2.4, 10.2.3, 10.2.2, 10.2.1 o Product: Enterprise Manager 3.1.1 o Product: F5 iWorkflow 2.3.0, 2.2.0, 2.1.0, 2.0.2, 2.0.1, 2.0.0 o Product: LineRate 2.6.1, 2.6.0, 2.5.2, 2.5.1, 2.5.0 o Product: ARX, ARX 6.4.0, 6.3.0, 6.2.0 o Product: F5 WebSafe 1.0.0 o Product: Traffix SDC 4.4.0, 4.1.0, 4.0.5, 4.0.2, 4.0.0 o Product: BIG-IQ Cloud and Orchestration 1.0.0 Security Advisory Description The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command. (CVE-2016-4470) Impact This vulnerability allows disruption of service. Security Advisory Status F5 Product Development has assigned ID 623119 (BIG-IP), ID 623155 (BIG-IQ), and ID 623156 (Enterprise Manager) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H624225 on the Diagnostics > Identified > Medium screen. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: +---------------+----------------+-----------------+----------+----------------+ | |Versions known |Versions known to| |Vulnerable | |Product |to be vulnerable|be not vulnerable|Severity |component or | | | | | |feature | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 - 12.1.2 |12.1.2 HF1 | | | |BIG-IP LTM |11.4.0 - 11.6.1 |11.6.2 |Medium |Linux kernel | | |11.2.1 |11.5.4 HF3 | | | | | |10.2.1 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | |BIG-IP AAM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel | | |11.4.0 - 11.6.1 |11.6.2 | | | | | |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | |BIG-IP AFM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel | | |11.4.0 - 11.6.1 |11.6.2 | | | | | |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ | |12.0.0 - 12.1.2 |13.0.0 | | | |BIG-IP |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel | |Analytics |11.2.1 |11.6.2 | | | | | |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 - 12.1.2 |12.1.2 HF1 | | | |BIG-IP APM |11.4.0 - 11.6.1 |11.6.2 |Medium |Linux kernel | | |11.2.1 |11.5.4 HF3 | | | | | |10.2.1 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 - 12.1.2 |12.1.2 HF1 | | | |BIG-IP ASM |11.4.0 - 11.6.1 |11.6.2 |Medium |Linux kernel | | |11.2.1 |11.5.4 HF3 | | | | | |10.2.1 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP DNS |12.0.0 - 12.1.2 |13.0.0 |Medium |Linux kernel | | | |12.1.2 HF1 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP Edge |11.2.1 |10.2.1 - 10.2.4 |Medium |Linux kernel | |Gateway | | | | | +---------------+----------------+-----------------+----------+----------------+ | |11.4.0 - 11.6.1 |11.6.2 | | | |BIG-IP GTM |11.2.1 |11.5.4 HF3 |Medium |Linux kernel | | | |10.2.1 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | |BIG-IP Link |12.0.0 - 12.1.2 |12.1.2 HF1 | | | |Controller |11.4.0 - 11.6.1 |11.6.2 |Medium |Linux kernel | | |11.2.1 |11.5.4 HF3 | | | | | |10.2.1 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | |BIG-IP PEM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel | | |11.4.0 - 11.6.1 |11.6.2 | | | | | |11.5.4 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP PSM |11.4.0 - 11.4.1 |10.2.1 - 10.2.4 |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP |11.2.1 |10.2.1 - 10.2.4 |Medium |Linux kernel | |WebAccelerator | | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP WOM |11.2.1 |10.2.1 - 10.2.4 |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ | |12.0.0 - 12.1.2 |13.0.0 |Not | | |BIG-IP WebSafe |11.6.0 - 11.6.1 |12.1.2 HF1 |vulnerable|None | | | |11.6.2 | | | +---------------+----------------+-----------------+----------+----------------+ |ARX |None |6.2.0 - 6.4.0 |Not |None | | | | |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |Enterprise |3.1.1 |None |Medium |Linux kernel | |Manager | | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Cloud |4.0.0 - 4.5.0 |None |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Device |4.2.0 - 4.5.0 |None |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Security|4.0.0 - 4.5.0 |None |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ ADC |4.5.0 |None |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ |5.0.0 - 5.1.0 | | | | |Centralized |4.6.0 |5.2.0 - 5.3.0 |Medium |Linux kernel | |Management | | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Cloud | | | | | |and |1.0.0 |None |Medium |Linux kernel | |Orchestration | | | | | +---------------+----------------+-----------------+----------+----------------+ |F5 iWorkflow |2.0.0 - 2.0.2 |2.1.0 - 2.3.0 |Medium |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |LineRate |None |2.5.0 - 2.6.1 |Not |None | | | | |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |Traffix SDC |5.0.0 |None |Low |Linux kernel | | |4.0.0 - 4.4.0 | | | | +---------------+----------------+-----------------+----------+----------------+ Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. To determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems . Mitigation None Supplemental Information o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K167: Downloading software and firmware from F5 o K13123: Managing BIG-IP product hotfixes (11.x - 13.x) o K9502: BIG-IP hotfix matrix o K15106: Managing BIG-IQ product hotfixes o K15113: BIG-IQ hotfix matrix o K10942: Installing OPSWAT hotfixes on BIG-IP APM systems =============================================================================== K94105604: Linux kernel vulnerability CVE-2015-7872 Security Advisory Original Publication Date: Jan 14, 2016 Updated Date: Nov 01, 2017 Applies to (see versions): o Product: BIG-IQ 5.X.X, 4.X.X o Product: BIG-IP 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.3.0, 11.2.1, 11.2.0, 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0 o Product: Enterprise Manager 3.X.X o Product: F5 iWorkflow 2.X.X o Product: LineRate 2.X.X o Product: ARX, ARX 6.4.0, 6.3.0, 6.2.0 o Product: FirePass 7.X.X o Product: F5 WebSafe 1.X.X o Product: Traffix SDC 4.X.X o Product: BIG-IQ Cloud and Orchestration 1.X.X Security Advisory Description The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands. (CVE-2015-7872) Impact A local user may be able to cause a denial-of-service (DoS) attack on the system by using specially crafted keyctl commands. Security Advisory Status F5 Product Development has assigned ID 563154 (BIG-IP), ID 565221 (BIG-IQ), ID 565223 (Enterprise Manager), and INSTALLER-2102 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, BIG-IP iHealth may list Heuristic H94105604 on the Diagnostics > Identified > High screen. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: +---------------+----------------+-----------------+----------+----------------+ | |Versions known |Versions known to| |Vulnerable | |Product |to be vulnerable|be not vulnerable|Severity |component or | | | | | |feature | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | | |12.1.0 - 12.1.2 | | | | |12.0.0 |12.0.0 HF3 | | | |BIG-IP LTM |11.6.0 - 11.6.1 |11.6.2 |High |Linux kernel | | |11.1.0 - 11.5.4 |11.5.5 | | | | | |11.0.0 | | | | | |10.1.0 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 |12.1.0 - 12.1.2 | | | |BIG-IP AAM |11.6.0 - 11.6.1 |12.0.0 HF3 |High |Linux kernel | | |11.4.0 - 11.5.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 |12.1.0 - 12.1.2 | | | |BIG-IP AFM |11.6.0 - 11.6.1 |12.0.0 HF3 |High |Linux kernel | | |11.3.0 - 11.5.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 |12.1.0 - 12.1.2 | | | |BIG-IP |11.6.0 - 11.6.1 |12.0.0 HF3 |High |Linux kernel | |Analytics |11.1.0 - 11.5.4 |11.6.2 | | | | | |11.5.5 | | | | | |11.0.0 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | | |12.1.0 - 12.1.2 | | | | |12.0.0 |12.0.0 HF3 | | | |BIG-IP APM |11.6.0 - 11.6.1 |11.6.2 |High |Linux kernel | | |11.1.0 - 11.5.4 |11.5.5 | | | | | |11.0.0 | | | | | |10.1.0 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | | |12.1.0 - 12.1.2 | | | | |12.0.0 |12.0.0 HF3 | | | |BIG-IP ASM |11.6.0 - 11.6.1 |11.6.2 |High |Linux kernel | | |11.1.0 - 11.5.4 |11.5.5 | | | | | |11.0.0 | | | | | |10.1.0 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | |BIG-IP DNS |12.0.0 |12.1.0 - 12.1.2 |High |Linux kernel | | | |12.0.0 HF3 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP Edge |11.1.0 - 11.3.0 |11.0.0 |High |Linux kernel | |Gateway | |10.1.0 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ | | |11.6.2 | | | |BIG-IP GTM |11.6.0 - 11.6.1 |11.5.5 |High |Linux kernel | | |11.1.0 - 11.5.4 |11.0.0 | | | | | |10.1.0 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | | |12.1.0 - 12.1.2 | | | |BIG-IP Link |12.0.0 |12.0.0 HF3 | | | |Controller |11.6.0 - 11.6.1 |11.6.2 |High |Linux kernel | | |11.1.0 - 11.5.4 |11.5.5 | | | | | |11.0.0 | | | | | |10.1.0 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ | | |13.0.0 | | | | |12.0.0 |12.1.0 - 12.1.2 | | | |BIG-IP PEM |11.6.0 - 11.6.1 |12.0.0 HF3 |High |Linux kernel | | |11.3.0 - 11.5.4 |11.6.2 | | | | | |11.5.5 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP PSM |11.1.0 - 11.4.1 |11.0.0 |High |Linux kernel | | | |10.1.0 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP |11.1.0 - 11.3.0 |11.0.0 |High |Linux kernel | |WebAccelerator | |10.1.0 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IP WOM |11.1.0 - 11.3.0 |11.0.0 |High |Linux kernel | | | |10.1.0 - 10.2.4 | | | +---------------+----------------+-----------------+----------+----------------+ |ARX |None |6.0.0 - 6.4.0 |Not |None | | | | |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |Enterprise |3.0.0 - 3.1.1 |None |High |Linux kernel | |Manager | | | | | +---------------+----------------+-----------------+----------+----------------+ |FirePass |None |7.0.0 |Not |None | | | |6.0.0 - 6.1.0 |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Cloud |4.0.0 - 4.5.0 |None |High |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Device |4.2.0 - 4.5.0 |None |High |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Security|4.0.0 - 4.5.0 |None |High |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ ADC |4.5.0 |None |High |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ |5.0.0 - 5.1.0 | | | | |Centralized |4.6.0 |5.2.0 - 5.3.0 |High |Linux kernel | |Management | | | | | +---------------+----------------+-----------------+----------+----------------+ |BIG-IQ Cloud | | | | | |and |1.0.0 |None |High |Linux kernel | |Orchestration | | | | | +---------------+----------------+-----------------+----------+----------------+ |F5 iWorkflow |2.0.0 - 2.1.0 |2.2.0 - 2.3.0 |High |Linux kernel | +---------------+----------------+-----------------+----------+----------------+ |LineRate |None |2.5.0 - 2.6.1 |Not |None | | | | |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |F5 WebSafe |None |1.0.0 |Not |None | | | | |vulnerable| | +---------------+----------------+-----------------+----------+----------------+ |Traffix SDC |4.0.0 - 4.4.0 |None |Low |Linux kernel | | |3.3.2 - 3.5.1 | | | | +---------------+----------------+-----------------+----------+----------------+ Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. To determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems . Mitigation To mitigate this vulnerability, you can limit access to the Linux shell to trusted users only. Supplemental Information o K9970: Subscribing to email notifications regarding F5 products o K4602: Overview of the F5 security vulnerability response policy o K9957: Creating a custom RSS feed to view new and updated documents o K4918: Overview of the F5 critical issue hotfix policy o K167: Downloading software and firmware from F5 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWfq0wIx+lLeg9Ub1AQj7Pg//YEEWG1lSgc0kAisoMCWqMnPnbSoyI1hE sjFa8PJhW2XTXhmdjKOHRvIc9Ev8K3HbRUpJ1GcmIBW72h60cjGyx9jo/9iPVWNQ 4AFpw7I9biGDPgbHOOlqE+1XJ/hQ8UADuN2ZDnXOnHwwbNGTeWMn0arCqk9vjg7g g11TeEAweDoRYcj4PSPAg3V8OOG/si8c/y4PVuSSXobyCW4oFHok7KU4BRoD7WYX efePle9P0zQi2OWG/ctZT3JdZBfPOXL5MPPfIdxVvY3SIwT1Ihq/05yFiyEWhljp a6xwJFAxPN+zB32dHRgPlvritZknzYteAq0yMNhuJN7iD3UCvTXd2IAnF1Qn55S+ Pxyn65W59Ft0/h9jbUs47S+4tnRC6e1D1C2T/bfGUzmWfDSA3c7IaPKWNHylJO3W UEfGme+pCZkVH3vhqu3VVbZHlrmIJHdpxzJ9juHMS3WYaQBKE9ghh2yacPSIU40W cIb+HsKG1q/dLg51oPu4SKkztA/24RREr0etiGvZOvMta3wwuSOhnDCzG4iXHOXr 1B5ktI3/XE3i0U2pVOggN/kGJPu5dRjrZYJxY0ZQohlcAgpG5nQJqQMd5RDI7abF u9oPnz54tKteb+ajcnjOGkrxDP/il9z4no3iN2PMUyw4hugkWWCov6+17UT4uPIt nTee2oSn09M= =q/4z -----END PGP SIGNATURE-----