Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4496.4
Security fixes for F5 BIG-IP products
13 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 BIG-IP products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-6673 CVE-2019-6672 CVE-2019-6671
CVE-2019-6669 CVE-2019-6667 CVE-2019-6666
CVE-2019-6665
Original Bulletin:
https://support.f5.com/csp/article/K82781208
https://support.f5.com/csp/article/K79240502
https://support.f5.com/csp/article/K92411323
https://support.f5.com/csp/article/K26462555
https://support.f5.com/csp/article/K39794285
https://support.f5.com/csp/article/K14703097
https://support.f5.com/csp/article/K11447758
https://support.f5.com/csp/article/K39225055
https://support.f5.com/csp/article/K24241590
https://support.f5.com/csp/article/K81557381
Revision History: February 13 2020: Vendor updated advisory K11447758 with updated fix details
December 20 2019: Added updated K92411323
December 16 2019: Added updated K82781208
November 27 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K82781208:BIG-IP FIX profile vulnerability CVE-2019-6667
Security Advisory
Original Publication Date: 27 Nov, 2019
Latest Publication Date: 14 Dec, 2019
Security Advisory Description
On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.1.0-13.1.1.5,
12.1.0-12.1.4.1, and 11.5.1-11.6.5, under certain conditions, TMM may consume
excessive resources when processing traffic for a Virtual Server with the FIX
(Financial Information eXchange) profile applied. (CVE-2019-6667)
Impact
This vulnerability may result in a denial-of-service (DoS) attack on the
affected BIG-IP system due to resource exhaustion. The affected BIG-IP system
temporarily will fail to process traffic as it recovers from a Traffic
Management Microkernel (TMM) restart, and devices configured in a device group
may fail over.
Security Advisory Status
F5 Product Development has assigned ID 758065 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0 | | | |
| | |15.0.1 |15.0.1.1 | | | |
| +------+----------+----------+ | | |
|BIG-IP (LTM, AAM, |14.x |14.1.0 |14.1.0.6 | | | |
|AFM, Analytics, | |14.0.0 |14.0.0.5 | | | |
|APM, ASM, DNS, Edge+------+----------+----------+ | | |
|Gateway, FPS, GTM, |13.x |13.1.0 - |13.1.3 |High |7.5 |FIX |
|Link Controller, | |13.1.1 | | | |profile |
|PEM, +------+----------+----------+ | | |
|WebAccelerator) |12.x |12.1.0 - |12.1.5 | | | |
| | |12.1.4 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.5.1^2 -|11.6.5.1 | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
| |6.x |None |Not | | | |
|BIG-IQ Centralized | | |applicable|Not | | |
|Management +------+----------+----------+vulnerable|None |None |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow |2.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
| |5.x |None |Not | | | |
| | | |applicable|Not | | |
|Traffix SDC +------+----------+----------+vulnerable|None |None |
| |4.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
^2F5 will not be developing a fix for the 11.5.x software branches, and this
table will not be updated with subsequent vulnerable releases in these
branches. For more information, refer to K4602: Overview of the F5 security
vulnerability response policy.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
- --------------------------------------------------------------------------------
K79240502: BIG-IP ASM Bot Detection DNS cache does not expire security exposure
Original Publication Date: 27 Nov, 2019
Security Advisory Description
When BIG-IP ASM Bot Detection is configured, the BIG-IP ASM system performs a
reverse DNS lookup to determine if bot traffic classified as legitimate is, in
fact, from those services (for example, Google). These DNS responses are cached
indefinitely (until the Traffic Management Microkernel [TMM] or unit is
restarted) and do not expire. Therefore, if a malicious entity is able to
inject an invalid DNS response back to the BIG-IP system before the legitimate
DNS server responds, or the legitimate DNS response is corrupted in flight, the
invalid record will be cached indefinitely.
This issue occurs when all of the following conditions are met:
o BIG-IP ASM Bot Detection is configured.
o The BIG-IP ASM is configured to use an untrusted DNS resolver.
o The BIG-IP ASM security policy is processing traffic.
Impact
If a malicious actor is able to inject invalid DNS responses, bots that would
normally be classified as legitimate may be classified as malicious, causing
Bot Detection to take action per the policy configuration against traffic that
would otherwise be allowed.
Symptoms
As a result of this issue, you may encounter one or more of the following
symptoms:
o Invalid DNS responses are indefinitely cached by the BIG-IP ASM system.
o Bots normally classified as legitimate may be classified as malicious.
Security Advisory Status
F5 Product Development has assigned ID 761231 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |13.1.3 |K2200: Most recent versions of F5 |
| |12.1.5 |software |
+------------------+-----------------+----------------------------------------+
|Point release/ |15.0.1.1 |K9502: BIG-IP hotfix and point release |
|hotfix |14.1.0.6 |matrix |
| |14.0.0.5 | |
+------------------+-----------------+----------------------------------------+
Security Advisory Recommended Actions
Mitigation
On fixed versions, cached DNS responses now expire and a malicious actor would
need to continually inject invalid responses to maintain disruption. The
default expiry time across all versions is 300 seconds. The expire time is
fixed and cannot be modified.
F5 recommends, as a best practice, that you use a trusted DNS server for
lookups (for example, one hosted within your own secure infrastructure) and
that you make queries only across a trusted, controlled network. Following this
practice will effectively mitigate the risk of a bad actor being able to inject
malicious DNS responses between the BIG-IP ASM system and the configured DNS
server.
- --------------------------------------------------------------------------------
K92411323:BIG-IP AAM vulnerability CVE-2019-6666
Security Advisory
Original Publication Date: 27 Nov, 2019
Latest Publication Date: 20 Dec, 2019
Security Advisory Description
The TMM process may produce a core file when an upstream server or cache sends
the BIG-IP system an invalid age header value. (CVE-2019-6666)
Impact
The BIG-IP system temporarily fails to process traffic as it recovers from a
Traffic Management Microkernel (TMM) restart, and devices configured in a
device group may fail over.
Security Advisory Status
F5 Product Development has assigned ID 753975 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0 | | | |
| | |15.0.1 |15.0.1.1 | | | |
| +------+----------+----------+ | | |
| | |14.1.0 |14.1.2 | | | |
|BIG-IP (LTM, AAM, |14.x |14.0.0 |14.1.0.6 | | | |
|AFM, Analytics, | | |14.0.0.5 | | | |
|APM, ASM, DNS, Edge+------+----------+----------+ | |AAM Ram |
|Gateway, FPS, GTM, |13.x |13.0.0 - |13.1.1.5 |High |7.5 |Cache |
|Link Controller, | |13.1.1 | | | | |
|PEM, +------+----------+----------+ | | |
|WebAccelerator) |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
| |6.x |None |Not | | | |
|BIG-IQ Centralized | | |applicable|Not | | |
|Management +------+----------+----------+vulnerable|None |None |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow |2.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
| |5.x |None |Not | | | |
| | | |applicable|Not | | |
|Traffix SDC +------+----------+----------+vulnerable|None |None |
| |4.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K26462555:BIG-IP ASM and BIG-IQ/Enterprise Manager/F5 iWorkflow device authentication and trust vulnerability CVE-2019-6665
Original Publication Date: 27 Nov, 2019
Security Advisory Description
An attacker with access to the device communication between the BIG-IP ASM
Central Policy Builder and the BIG-IQ/Enterprise Manager/F5 iWorkflow will be
able to set up the proxy the same way and intercept the traffic. (CVE-2019-6665
)
Impact
BIG-IP ASM / BIG-IQ / Enterprise Manager / F5 iWorkflow
With access to the authentication token, the attacker will be able to
impersonate the BIG-IP ASM Central Policy Builder and send corrupted or
incorrect suggestion data to the BIG-IQ/Enterprise Manager/F5 iWorkflow. This
may lead to incorrect policy building suggestions or a partial
denial-of-service (DoS).
BIG-IP (LTM, AAM, AFM, Analytics, APM, DNS, Edge Gateway, GTM, Link Controller,
PEM, WebAccelerator, WebSafe) / Traffix SDC
There is no impact; these F5 products are not affected by this vulnerability.
Security Advisory Status
F5 Product Development has assigned ID 636400 (BIG-IP), ID 569250 (BIG-IQ), ID
693466 (Enterprise Manager), and ID 693474 (F5 iWorkflow) to this
vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table.
+---------------+------+----------+----------+----------+------+--------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to |introduced|Severity |score |gcomponent or |
| | |be |in | | |feature |
| | |vulnerable| | | | |
+---------------+------+----------+----------+----------+------+--------------+
| |15.x |15.0.0 - |15.0.1.1 | | | |
| | |15.0.1 | | | | |
| +------+----------+----------+ | | |
| | |14.1.0 - | | | | |
| |14.x |14.1.2 |14.1.2.1 | | | |
| | |14.0.0 - |14.0.1.1 | | | |
| | |14.0.1 | | | |Device |
|BIG-IP ASM +------+----------+----------+High |7.7 |authentication|
| |13.x |13.1.0 - |13.1.3.2 | | |/trust |
| | |13.1.3.1 | | | | |
| +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+---------------+------+----------+----------+----------+------+--------------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IP (LTM, +------+----------+----------+ | | |
|AAM, AFM, |14.x |None |Not | | | |
|Analytics, APM,| | |applicable| | | |
|DNS, Edge +------+----------+----------+ | | |
|Gateway, |13.x |None |Not |Not |None |None |
|GTM, Link | | |applicable|vulnerable| | |
|Controller, +------+----------+----------+ | | |
|PEM, |12.x |None |Not | | | |
|WebAccelerator,| | |applicable| | | |
|WebSafe) +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+---------------+------+----------+----------+----------+------+--------------+
|Enterprise | | | | | |Device |
|Manager |3.x |3.1.1 |None |High |7.7 |authentication|
| | | | | | |/trust |
+---------------+------+----------+----------+----------+------+--------------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IQ +------+----------+----------+ | |Device |
|Centralized |6.x |6.0.0 |6.1.0 |High |7.7 |authentication|
|Management +------+----------+----------+ | |/trust |
| |5.x |5.2.0 - |None | | | |
| | |5.4.0 | | | | |
+---------------+------+----------+----------+----------+------+--------------+
| | | | | | |Device |
|F5 iWorkflow |2.x |2.3.0 |None |High |7.7 |authentication|
| | | | | | |/trust |
+---------------+------+----------+----------+----------+------+--------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+---------------+------+----------+----------+----------+------+--------------+
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Note: For details about how Security Advisory articles are versioned, and what
versions are listed in the table, refer to K51812227: Understanding Security
Advisory versioning.
To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
.
Mitigation
To mitigate this vulnerability, you should permit device communication between
the affected devices only over a trusted and secure network.
- --------------------------------------------------------------------------------
K39794285: The BIG-IP system may fail to properly parse HTTP headers that are
prepended by whitespace (non RFC2616 compliant)
Security Advisory
Original Publication Date: 27 Nov, 2019
Security Advisory Description
The BIG-IP system may fail to properly parse HTTP headers that are prepended by
whitespace. This issue occurs when all of the following conditions are met:
o A virtual server is associated with an HTTP profile.
o The BIG-IP system receives a specially crafted HTTP request or response
containing one or more headers with prepended whitespace that does not
conform to RFC2616.
When a browser communicates with a server over HTTP, it can split a long header
into several lines by prepending continuation lines with leading white space
(per RFC2616). This rule does not apply to the first line of the request (for
example, the line containing request method, URI, etc. cannot be continued on a
second line) and, therefore, having leading white space as the first characters
of the first subsequent header lines is invalid. When a virtual server is
configured with an associated HTTP profile, in affected versions, the BIG-IP
system parses such a line as a header with an empty value.
Impact
The BIG-IP system can hide important HTTP headers, either passing those to the
pool member, failing to properly handle the request (or response), or failing
to correctly load balance a connection (or request in the case of having an
associated OneConnect profile). The header preceeded by whitespace may not be
accessible within an iRule, a Local Traffic Policy, or a similar mechanism.
Symptoms
As a result of this issue, you may encounter one or more of the following
symptoms:
o The BIG-IP system erroneously rejects an HTTP request that is interpreted
to be missing one or more required headers (for example, the Host header).
o The BIG-IP system performs invalid load balancing on an HTTP request that
is interpreted to be missing hash cookie persistence.
Security Advisory Status
F5 Product Development has assigned ID 788325 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |None |None |
+------------------+-----------------+----------------------------------------+
| |15.0.1.1 | |
|Point release/ |14.1.2.1 |K9502: BIG-IP hotfix and point release |
|hotfix |14.0.1.1 |matrix |
| |13.1.3.2 | |
| |11.6.5.1 | |
+------------------+-----------------+----------------------------------------+
Security Advisory Recommended Actions
Workaround
There is no work around for this issue.
Acknowledgements
F5 would like to acknowledge the F5 DevCentral MVP Kai Wilke of itacs GmbH for
bringing this issue to our attention, and for following the highest standards
of responsible disclosure.
- --------------------------------------------------------------------------------
K14703097: BIG-IP AFM vulnerability CVE-2019-6672
Original Publication Date: 27 Nov, 2019
Security Advisory Description
When bad-actor detection is configured on a wildcard virtual server on
platforms with hardware-based sPVA, the performance of the BIG-IP AFM system is
degraded. (CVE-2019-6672)
Impact
The affected BIG-IP AFM system's CPU usage increases and may cause
the legitimate network packets to be dropped or delayed. This reduces the
threshold for a denial-of-service (DoS) attack. This does not affect BIG-IP VE
deployments, as only the sPVA hardware implementation is affected.
Security Advisory Status
F5 Product Development has assigned ID 781449 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score |gcomponent |
| | |be |in | | |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.0.1.1 | | | |
| | |15.0.1 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.2.1 | | | |
| | |14.1.2 | | | | |
|BIG-IP AFM +------+----------+----------+ | | |
| |13.x |13.1.0 - |13.1.3.2 |Medium |5.9 |AFM |
| | |13.1.3 | | | | |
| +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IP (LTM, AAM, |14.x |None |Not | | | |
|Analytics, APM, | | |applicable| | | |
|ASM, DNS, Edge +------+----------+----------+ | | |
|Gateway, FPS, GTM, |13.x |None |Not |Not |None |None |
|Link Controller, | | |applicable|vulnerable| | |
|PEM, +------+----------+----------+ | | |
|WebAccelerator) |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow |2.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To avoid this vulnerability, you can configure the bad-actor filtering at the
global context instead of at the wildcard virtual server context.
- --------------------------------------------------------------------------------
K11447758:TMM vulnerability CVE-2019-6669
Security Advisory
Original Publication Date: 27 Nov, 2019
Latest Publication Date: 11 Feb, 2020
Security Advisory Description
Undisclosed traffic flow may cause the Traffic Management Microkernel (TMM) to
restart under some circumstances. (CVE-2019-6669)
Impact
A remote attacker may be able to cause the Traffic Management Microkernel (TMM)
to restart. This issue occurs on multi-blade chassis, including multi-blade
vCMP guests. This issue does not occur on single-bladed systems, on BIG-IP
Virtual Edition (VE), or on single-bladed vCMP guests.
Security Advisory Status
F5 Product Development has assigned ID 761014 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0 | | | |
| | |15.0.1 |15.0.1.1 | | | |
| +------+----------+----------+ | | |
| | |14.1.0 - | | | | |
|BIG-IP (LTM, AAM, |14.x |14.1.2 |14.1.2.1 | | | |
|AFM, Analytics, | |14.0.0 - |14.0.1.1 | | | |
|APM, ASM, DNS, Edge| |14.0.1 | | | | |
|Gateway, FPS, GTM, +------+----------+----------+Medium |6.5 |TMM |
|Link Controller, |13.x |13.0.0 - |13.1.3.2 | | | |
|PEM, | |13.1.3 | | | | |
|WebAccelerator) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.1 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.5.2 - |None | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
| |6.x |None |Not | | | |
|BIG-IQ Centralized | | |applicable|Not | | |
|Management +------+----------+----------+vulnerable|None |None |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow |2.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
| |5.x |None |Not | | | |
| | | |applicable|Not | | |
|Traffix SDC +------+----------+----------+vulnerable|None |None |
| |4.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K39225055: BIG-IP TMM vulnerability CVE-2019-6671
Original Publication Date: 27 Nov, 2019
Security Advisory Description
Under certain conditions, the Traffic Management Microkernel (TMM) may leak
memory when processing packet fragments, leading to resource starvation.(
CVE-2019-6671)
Impact
Resource starvation due to a memory leak may cause the Traffic Management
Microkernel (TMM) to restart, leading to failover in a high availability (HA)
environment.
Security Advisory Status
F5 Product Development has assigned ID 777737 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score |gcomponent |
| | |be |in | | |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.0.1.1 | | | |
| | |15.0.1 | | | | |
| +------+----------+----------+ | | |
| | |14.1.0 - | | | | |
| |14.x |14.1.2 |14.1.2.1 | | | |
|BIG-IP (LTM, AAM, | |14.0.0 - |14.0.1.1 | | | |
|AFM, Analytics, | |14.0.1 | | | | |
|APM, ASM, DNS, Edge+------+----------+----------+ | | |
|Gateway, FPS, GTM, | |13.1.0 - | |Medium |5.9 |TMM |
|Link Controller, |13.x |13.1.3 |13.1.3.2 | | | |
|PEM, | | | | | | |
|WebAccelerator) +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
| |6.x |None |Not | | | |
|BIG-IQ Centralized | | |applicable|Not | | |
|Management +------+----------+----------+vulnerable|None |None |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow |2.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
- --------------------------------------------------------------------------------
K24241590: BIG-IP APM ignores the Restrict to Single Client IP option for Native RDP resources
Original Publication Date: 27 Nov, 2019
Security Advisory Description
This issue occurs when all of the following conditions are met:
o You enable the Restrict to Single Client IP option in the Access profile.
o Users access a native Remote Desktop Protocol (RDP) resource on the BIG-IP
APM webtop.
When launching a native RDP resource from the BIG-IP APM Webtop, the BIG-IP APM
system provides an RDP file to the client browser and the client browser
invokes the native RDP client to launch the resource with the parameters
specified in the RDP file. When the Access profile Restrict to Single Client IP
option is enabled, a user should only be allowed to launch the resource from
the client that initiated the request.
Impact
An unauthorized client machine can launch an RDP session to a back-end resource
server in an APM session.
Symptoms
As a result of this issue, you may encounter the following symptom:
o With access to the RDP file that the BIG-IP APM provided (in another APM
session), you can use the RDP file to launch an RDP session to a back-end
resource server.
Security Advisory Status
F5 Product Development has assigned ID 769853 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |None |None |
+------------------+-----------------+----------------------------------------+
|Point release/ |15.0.1.1 |K9502: BIG-IP hotfix and point release |
|hotfix |14.1.2.1 |matrix |
| |14.0.1.1 | |
+------------------+-----------------+----------------------------------------+
Security Advisory Recommended Actions
Workaround
None
- --------------------------------------------------------------------------------
K81557381: BIG-IP HTTP/2 vulnerability CVE-2019-6673
Original Publication Date: 27 Nov, 2019
Security Advisory Description
When the BIG-IP system is configured in HTTP/2 full proxy mode, specifically
crafted requests may cause a disruption of service provided by the Traffic
Management Microkernel (TMM). (CVE-2019-6673)
Impact
An attacker may be able to use a specifically crafted request to cause a
disruption of service. The data plane is impacted and exposed only when a
virtual server is configured with an associated HTTP profile, HTTP/2 client and
server profile, and the HTTP MRF Router option is enabled (HTTP/2 full proxy
mode).
Security Advisory Status
F5 Product Development has assigned ID 798249 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-----------------+------+----------+----------+-----------+------+-----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to |introduced|Severity |score |gcomponent |
| | |be |in | | |or feature |
| | |vulnerable| | | | |
+-----------------+------+----------+----------+-----------+------+-----------+
| |15.x |15.0.0 - |15.0.1.1 | | | |
| | |15.0.1 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.2.1 | | | |
| | |14.1.2 | | | |virtual |
|BIG-IP (LTM, AAM,+------+----------+----------+ | |servers |
|AFM, APM, ASM, |13.x |None |Not |Low |3.7 |(HTTP MRF |
|FPS, Link | | |applicable| | |Router |
|Controller, PEM) +------+----------+----------+ | |option) |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-----------------+------+----------+----------+-----------+------+-----------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |14.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IP +------+----------+----------+Not | | |
|(Analytics, DNS, |13.x |None |Not |vulnerable |gNone |None |
|GTM) | | |applicable|2 | | |
| +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-----------------+------+----------+----------+-----------+------+-----------+
|Enterprise |3.x |None |Not |Not |None |None |
|Manager | | |applicable|vulnerable | | |
+-----------------+------+----------+----------+-----------+------+-----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IQ +------+----------+----------+ | | |
|Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable | | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-----------------+------+----------+----------+-----------+------+-----------+
|F5 iWorkflow |2.x |None |Not |Not |None |None |
| | | |applicable|vulnerable | | |
+-----------------+------+----------+----------+-----------+------+-----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable | | |
+-----------------+------+----------+----------+-----------+------+-----------+
^2The specified products contain the affected code. However, F5 identifies the
vulnerability status as Not vulnerable because the attacker cannot exploit the
code in default, standard, or recommended configurations.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you can disable the HTTP MRF Router option for
the affected virtual server. To do so, perform the following procedure:
Impact of action: The HTTP/2 full proxy mode is disabled for the virtual
server.
Disabling the HTTP MRF Router option
1. Log in to the Configuration utility.
2. Go to Local Traffic > Virtual Servers > Virtual Server List.
3. Click the name of the affected virtual server.
4. Under Acceleration, clear the HTTP MRF Router check box.
5. Select Update.
6. Repeat the above steps for each virtual server for which the HTTP MRF
Router option is enabled.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXkTXE2aOgq3Tt24GAQjI4xAAmCAzivTK4EJRat0ExcR2T6qAat6Nrfw9
74ucWdy81kyGlRvvVQt4E4ScdVvJxu3EQBo4/nDrPI1PuFakyv8EjkZ2omgufJqt
udHGxJhzVognQRAs4ThBgQIQjCbxcm5PqF0WnNpmXZGf1R0KxI+put198vM/CH9l
xIGnApkO+xOWrponD5mKSALcPJbGzBmOUn5mKO+uITrA7beqNMBL0J/37Kj/u8Pq
lgTvGRzUFLHsR1jV7YajKXDJnuyDvwym2yoaT7z/EIH8LGLlZ1V6pZpcmFfuu20X
OUk1O2bqADrNsCAM9YpD81xroVs0IYRgSyftWDgsFa3BJk0TKw/DJ1zuB0oq5qok
UFm7xlwaNc7LDjDHZswlrpRqeM3qWoNf3HWo3hKp/0JfPTr+iMv+5c77uFpX+0+U
ARCvCoMpZLqtKvkIztftQdfC9jyAEU4IEI868MkwMAE7aUd1DUTIYLxvw1KfWxrq
f6NEYgD4fGRXLsLAnnz5aMPW42zlI4nGkwbfJxxbZMUGJKbRpa6/bXMhhm9RBe0Y
yffdiYLjctmzpJx6ezDWckD78oUgWPykPpmbOo7OCuwLArZLMAgQkfPbr4z8txOp
S5RY1yOJwweDnEsUuqd1OdARqKVMExyCd04GpHYqPX6GuaCiQYG22yEq7Ldi0E9h
AroUB5aWtd4=
=3Z9n
-----END PGP SIGNATURE-----