-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.1551.8
              Vulnerabilities in multiple F5 BIG-IP Products
                                3 June 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service              -- Remote/Unauthenticated      
                   Create Arbitrary Files         -- Unknown/Unspecified         
                   Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Remote/Unauthenticated      
                   Access Confidential Data       -- Remote/Unauthenticated      
                   Unauthorised Access            -- Remote/Unauthenticated      
                   Reduced Security               -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-5891 CVE-2020-5890 CVE-2020-5889
                   CVE-2020-5888 CVE-2020-5887 CVE-2020-5886
                   CVE-2020-5885 CVE-2020-5884 CVE-2020-5883
                   CVE-2020-5881 CVE-2020-5880 CVE-2020-5879
                   CVE-2020-5877 CVE-2020-5876 CVE-2020-5875
                   CVE-2020-5874 CVE-2020-5872 

Original Bulletin: 
   https://support.f5.com/csp/article/K46901953
   https://support.f5.com/csp/article/K10251014
   https://support.f5.com/csp/article/K12234501
   https://support.f5.com/csp/article/K88474783
   https://support.f5.com/csp/article/K58494243
   https://support.f5.com/csp/article/K17663061
   https://support.f5.com/csp/article/K63558580
   https://support.f5.com/csp/article/K32121038
   https://support.f5.com/csp/article/K33572148
   https://support.f5.com/csp/article/K10701310
   https://support.f5.com/csp/article/K43404365
   https://support.f5.com/csp/article/K25165813
   https://support.f5.com/csp/article/K72540690
   https://support.f5.com/csp/article/K03318649
   https://support.f5.com/csp/article/K03386032
   https://support.f5.com/csp/article/K72423000
   https://support.f5.com/csp/article/K65720640
   https://support.f5.com/csp/article/K73274382
   https://support.f5.com/csp/article/K54200228
   https://support.f5.com/csp/article/K94325657
   https://support.f5.com/csp/article/K65372933
   https://support.f5.com/csp/article/K24415506

Revision History:  June       3 2021: Vendor updated vulnerable version for advisory K46901953 and marked it as final
                   December  18 2020: Vendor update K25165813 with release hotfix information
                   September 15 2020: Vendor updated K10701310 adding important information for conditions that trigger issues in BIG-IP LTM
                   July       2 2020: Vendor released minor updates
                   June      19 2020: Vendor updated  K88474783, K32121038 and K54200228 advisories
                   May       14 2020: Vendor released minor update
                   May       14 2020: Vendor released minor update
                   May        1 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K46901953: BIG-IP APM virtual server vulnerability CVE-2020-5874

Original Publication Date: 30 Apr, 2020
Latest   Publication Date: 02 Jun, 2021

Security Advisory Description

In certain circumstances, an attacker sending specifically crafted requests to
a BIG-IP APM virtual server may cause a disruption of service provided by the
Traffic Management Microkernel(TMM). (CVE-2020-5874)

Impact

An attacker may be able to perform a denial-of-service (DoS) attack on a BIG-IP
system by causing the TMM process to restart.

The data plane is only impacted and exposed when the virtual server is
configured to use OpenID connect. The control plane is not impacted by this
vulnerability.

Security Advisory Status

F5 Product Development has assigned ID 794561 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+------------------+------+----------+----------+----------+------+-----------+
|                  |      |Versions  |Fixes     |          |CVSSv3|Vulnerable |
|Product           |Branch|known to  |introduced|Severity  |score^|component  |
|                  |      |be        |in        |          |1     |or feature |
|                  |      |vulnerable|          |          |      |           |
+------------------+------+----------+----------+----------+------+-----------+
|                  |15.x  |15.0.0 -  |15.1.0    |          |      |           |
|                  |      |15.0.1    |15.0.1.3  |          |      |           |
|                  +------+----------+----------+          |      |           |
|                  |      |14.1.0 -  |          |          |      |           |
|                  |14.x  |14.1.2    |14.1.2.4^2|          |      |           |
|                  |      |14.0.0 -  |14.0.1.1  |          |      |           |
|                  |      |14.0.1    |          |          |      |OpenID     |
|BIG-IP APM        +------+----------+----------+High      |7.5   |Connect    |
|                  |13.x  |13.1.0 -  |13.1.4.1  |          |      |Integration|
|                  |      |13.1.4    |          |          |      |           |
|                  +------+----------+----------+          |      |           |
|                  |12.x  |None      |Not       |          |      |           |
|                  |      |          |applicable|          |      |           |
|                  +------+----------+----------+          |      |           |
|                  |11.x  |None      |Not       |          |      |           |
|                  |      |          |applicable|          |      |           |
+------------------+------+----------+----------+----------+------+-----------+
|                  |15.x  |None      |Not       |          |      |           |
|                  |      |          |applicable|          |      |           |
|                  +------+----------+----------+          |      |           |
|                  |14.x  |None      |Not       |          |      |           |
|BIG-IP (LTM, AAM, |      |          |applicable|          |      |           |
|AFM, Analytics,   +------+----------+----------+          |      |           |
|ASM, DNS, FPS,    |13.x  |None      |Not       |Not       |None  |None       |
|GTM, Link         |      |          |applicable|vulnerable|      |           |
|Controller, PEM)  +------+----------+----------+          |      |           |
|                  |12.x  |None      |Not       |          |      |           |
|                  |      |          |applicable|          |      |           |
|                  +------+----------+----------+          |      |           |
|                  |11.x  |None      |Not       |          |      |           |
|                  |      |          |applicable|          |      |           |
+------------------+------+----------+----------+----------+------+-----------+
|                  |7.x   |None      |Not       |          |      |           |
|                  |      |          |applicable|          |      |           |
|                  +------+----------+----------+          |      |           |
|BIG-IQ Centralized|6.x   |None      |Not       |Not       |None  |None       |
|Management        |      |          |applicable|vulnerable|      |           |
|                  +------+----------+----------+          |      |           |
|                  |5.x   |None      |Not       |          |      |           |
|                  |      |          |applicable|          |      |           |
+------------------+------+----------+----------+----------+------+-----------+
|Traffix SDC       |5.x   |None      |Not       |Not       |None  |None       |
|                  |      |          |applicable|vulnerable|      |           |
+------------------+------+----------+----------+----------+------+-----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

^2BIG-IP 14.1.2.4 is not a supported release; please use a later release. Refer
to K5903: BIG-IP software support policy.

Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems


- --------------------------------------------------------------------------------


K54200228:BIG-IP iRules vulnerability CVE-2020-5877 

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 02 Jul, 2020

Security Advisory Description

Malformed input to the DATAGRAM::tcp iRules command within a FLOW_INIT event
may lead to a denial of service. (CVE-2020-5877) 

Impact

Remote attackers may be able to perform a denial-of-service (DoS) attack on the
BIG-IP system.

Security Advisory Status

F5 Product Development has assigned ID 830401 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |      |15.1.0    |          |          |      |          |
|                   |15.x  |15.0.0 -  |15.1.0.2  |          |      |          |
|                   |      |15.0.0    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.0.0 -  |14.1.2.5  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, FPS,|13.x  |13.1.0 -  |13.1.3.4  |High      |7.5   |iRules    |
|GTM, Link          |      |13.1.3    |          |          |      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |12.1.0 -  |12.1.5.2  |          |      |          |
|                   |      |12.1.5    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |11.6.1 -  |11.6.5.2  |          |      |          |
|                   |      |11.6.5    |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K12234501:BIG-IP virtual server vulnerability CVE-2020-5883

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

When a virtual server is configured with HTTP explicit proxy and has an
attached HTTP_PROXY_REQUEST iRule, POST requests sent to the virtual server
cause an xdata memory leak. (CVE-2020-5883)

Impact

The BIG-IP system may become vulnerable to conditions that result when it is
out of memory because of a memory leak.

Security Advisory Status

F5 Product Development has assigned ID 810537 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.

+---------------+------+----------+----------+----------+------+------------------+
|               |      |Versions  |Fixes     |          |CVSSv3|Vulnerable        |
|Product        |Branch|known to  |introduced|Severity  |score^|component or      |
|               |      |be        |in        |          |1     |feature           |
|               |      |vulnerable|          |          |      |                  |
+---------------+------+----------+----------+----------+------+------------------+
|               |15.x  |15.0.0 -  |15.1.0    |          |      |                  |
|               |      |15.0.1    |15.0.1.1  |          |      |                  |
|               +------+----------+----------+          |      |                  |
|               |      |14.1.0 -  |          |          |      |                  |
|BIG-IP (AAM,   |14.x  |14.1.2    |14.1.2.4  |          |      |                  |
|AFM, APM, ASM, |      |14.0.0 -  |14.0.1.1  |          |      |HTTP Explicit     |
|Edge Gateway,  |      |14.0.1    |          |          |      |Proxy Virtual     |
|FPS, LTM, Link +------+----------+----------+Medium    |5.3   |Server with       |
|Controller,    |13.x  |13.1.0 -  |13.1.3.2  |          |      |HTTP_PROXY_REQUEST|
|PEM,           |      |13.1.3    |          |          |      |iRule             |
|WebAccelerator)+------+----------+----------+          |      |                  |
|               |12.x  |None      |Not       |          |      |                  |
|               |      |          |applicable|          |      |                  |
|               +------+----------+----------+          |      |                  |
|               |11.x  |None      |Not       |          |      |                  |
|               |      |          |applicable|          |      |                  |
+---------------+------+----------+----------+----------+------+------------------+
|               |15.x  |None      |Not       |          |      |                  |
|               |      |          |applicable|          |      |                  |
|               +------+----------+----------+          |      |                  |
|               |14.x  |None      |Not       |          |      |                  |
|               |      |          |applicable|          |      |                  |
|BIG-IP         +------+----------+----------+          |      |                  |
|(Analytics,    |13.x  |None      |Not       |Not       |None  |None              |
|DNS, GTM)      |      |          |applicable|vulnerable|      |                  |
|               +------+----------+----------+          |      |                  |
|               |12.x  |None      |Not       |          |      |                  |
|               |      |          |applicable|          |      |                  |
|               +------+----------+----------+          |      |                  |
|               |11.x  |None      |Not       |          |      |                  |
|               |      |          |applicable|          |      |                  |
+---------------+------+----------+----------+----------+------+------------------+
|               |6.x   |None      |Not       |          |      |                  |
|BIG-IQ         |      |          |applicable|Not       |      |                  |
|Centralized    +------+----------+----------+vulnerable|None  |None              |
|Management     |5.x   |None      |Not       |          |      |                  |
|               |      |          |applicable|          |      |                  |
+---------------+------+----------+----------+----------+------+------------------+
|Traffix SDC    |5.x   |None      |Not       |Not       |None  |None              |
|               |      |          |applicable|vulnerable|      |                  |
+---------------+------+----------+----------+----------+------+------------------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K88474783:BIG-IP DoS profile vulnerability CVE-2020-5879

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 18 Jun, 2020

Security Advisory Description

Under certain configurations, the BIG-IP system sends data plane traffic to
back-end servers unencrypted, even when a Server SSL profile is applied. (
CVE-2020-5879)

Impact

The affected system sends some requests to the back-end server without
encryption, possibly leaking sensitive data. The requests affected by this
vulnerability are processed by a virtual server associated with a DoS profile
that has a CAPTCHA challenge configured.

Security Advisory Status

F5 Product Development has assigned ID 513137 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |BIG-IP DoS|
|BIG-IP (ASM)       |13.x  |None      |Not       |Medium    |5.9   |profile   |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |12.x  |None      |12.0.0    |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |11.6.1 -  |11.6.5.2  |          |      |          |
|                   |      |11.6.5    |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |None      |Not       |          |      |          |
|BIG-IP (LTM, AAM,  |      |          |applicable|          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, DNS, FPS, GTM,|13.x  |None      |Not       |Not       |None  |None      |
|Link Controller,   |      |          |applicable|vulnerable|      |          |
|PEM)               +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o The Configuring CAPTCHA for DoS protection section under the Preventing DoS
    Attacks on Applications chapter of the BIG-IP Application Security Manager:
    Implementations guide.

    Note: For information about how to locate F5 product guides, refer to 
    K12453464: Finding product documentation on AskF5.


- --------------------------------------------------------------------------------


K58494243:BIG-IP HTTP/2 vulnerability CVE-2020-5891 

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

Undisclosed HTTP/2 requests can lead to a denial of service when sent to a
virtual server configured with the Fallback Host setting and a server-side HTTP
/2 profile. (CVE-2020-5891)

Impact

The Traffic Management Microkernel (TMM) may generate a core file and restart,
causing a traffic disruption or failover event. This vulnerability affects only
virtual servers with the Fallback Host setting configured and a server-side
HTTP/2 profile assigned.

Security Advisory Status

F5 Product Development has assigned ID 868097 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |      |15.1.0    |15.1.0.2  |          |      |          |
|                   |15.x  |15.0.0 -  |15.0.1.3  |          |      |          |
|                   |      |15.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.1.0 -  |14.1.2.4  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |HTTP/2    |
|APM, ASM, FPS, Link|13.x  |None      |Not       |Low       |3.7   |profile   |
|Controller, PEM)   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IP (GTM, DNS)  |13.x  |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can remove the fallback host from the HTTP
profile on the client side. To do so, perform the following procedure:

Impact of action: The fallback host configuration option allows the BIG-IP
system to serve a 302 response to redirect clients to a specific website when
the pool associated with the virtual server is marked down. After you remove
the fallback host configuration option, the system does not serve any pages to
clients when the pool is unavailable.

 1. Log in to the Configuration utility.
 2. Go to Local Traffic > Profiles > Services > HTTP.
 3. Select the HTTP profile associated with the virtual server.
 4. In the Fallback Host box, delete all contents.
 5. Select Update.

    Note: Changes will take effect only for newly established connections.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------



K17663061:BIG-IP SSL state mirroring vulnerability CVE-2020-5885

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 02 Jul, 2020

Security Advisory Description

BIG-IP systems set up for connection mirroring in a high availability (HA) pair
transfer sensitive cryptographic objects over an insecure communications
channel. This is a control plane issue which is exposed only on the network
used for connection mirroring. (CVE-2020-5885)

Impact

On-path attackers may be able to read and modify the keys used for EXPORT-based
cipher suites. Only HA pairs with session mirroring or connection mirroring
enabled are vulnerable.

Security Advisory Status

F5 Product Development has assigned ID 829117 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.1.0.2  |          |      |          |
|                   |      |15.1.0    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.1.0 -  |14.1.2.5  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, FPS,|13.x  |13.1.0 -  |13.1.3.4  |Medium    |4.8   |BIG-IP HA |
|GTM, Link          |      |13.1.3    |          |          |      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |12.1.0 -  |12.1.5.2  |          |      |          |
|                   |      |12.1.5    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can enable the statemirror.secure database
variable to protect the VLAN that you use for mirroring from untrusted
entities. To do so, perform one of the following procedures:

  o Enabling the statemirror.secure database variable
  o Protecting the VLAN that you use for mirroring from untrusted entities

Enabling the statemirror.secure database variable

Impact of action: Performing the following procedure should not have a negative
impact on your system.

 1. Log in to the TMOS Shell (tmsh) by entering the following command:

    tmsh

 2. To enable the statemirror.secure database variable, enter the following
    command:

    modify /sys db statemirror.secure value enable

Protecting the VLAN that you use for mirroring from untrusted entities

  o To prevent on-path attackers from exploiting this vulnerability, you
    can set up a direct connection between the BIG-IP HA systems.
  o To reduce the risk of the vulnerability, you can protect the VLAN that you
    use for mirroring from untrusted entities.

    For more information, refer to the Mirroring recommendations section of
    K14135: Defining network resources for BIG-IP HA features (11.x - 15.x) and
    the Recommendations section of K84303332: Overview of connection and
    persistence mirroring (13.x - 15.x).

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------------------------------------------------------------


K63558580:BIG-IP crypto driver vulnerability CVE-2020-5872

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

When processing TLS traffic with hardware cryptographic acceleration enabled on
platforms with Intel QAT hardware, the Traffic Management Microkernel (TMM) may
stop responding and cause a failover event. (CVE-2020-5872)

Impact

Hardware cryptographic acceleration fails and TMM may stop responding, which
causes a failover event if the BIG-IP system is configured as part of a device
group. This vulnerability applies to the following platforms:

  o i4600, i4800, YK i4000
  o i5600, i5800, HRC-i5000, HRC-i5800, i5820-DF
  o i7600, i7800, i7000-D, i7820-DF
  o i10600, i10800, i10000-D, HRC-i10800
  o i11600, i11800, i11000-DS, i11000-D
  o i15600, i15800, i15000-N
  o VIPRION B4400N blade

Security Advisory Status

F5 Product Development has assigned ID 762453 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.

+-----------------+------+----------+----------+----------+------+------------+
|                 |      |Versions  |Fixes     |          |CVSSv3|Vulnerable  |
|Product          |Branch|known to  |introduced|Severity  |score^|component or|
|                 |      |be        |in        |          |1     |feature     |
|                 |      |vulnerable|          |          |      |            |
+-----------------+------+----------+----------+----------+------+------------+
|                 |15.x  |None      |15.0.0    |          |      |            |
|                 +------+----------+----------+          |      |            |
|                 |      |14.1.0 -  |          |          |      |            |
|                 |14.x  |14.1.2    |14.1.2.4  |          |      |            |
|                 |      |14.0.0 -  |14.0.1.1  |          |      |            |
|BIG-IP (LTM, AAM,|      |14.0.1    |          |          |      |            |
|AFM, Analytics,  +------+----------+----------+          |      |SSL Profiles|
|APM, ASM, DNS,   |13.x  |13.1.0 -  |13.1.3.2  |High      |7.5   |- Hardware  |
|FPS, GTM, Link   |      |13.1.3    |          |          |      |acceleration|
|Controller, PEM) +------+----------+----------+          |      |            |
|                 |12.x  |12.1.0 -  |12.1.5    |          |      |            |
|                 |      |12.1.4    |          |          |      |            |
|                 +------+----------+----------+          |      |            |
|                 |11.x  |None      |Not       |          |      |            |
|                 |      |          |applicable|          |      |            |
+-----------------+------+----------+----------+----------+------+------------+
|                 |6.x   |None      |Not       |          |      |            |
|BIG-IQ           |      |          |applicable|Not       |      |            |
|Centralized      +------+----------+----------+vulnerable|None  |None        |
|Management       |5.x   |None      |Not       |          |      |            |
|                 |      |          |applicable|          |      |            |
+-----------------+------+----------+----------+----------+------+------------+
|Traffix SDC      |5.x   |None      |Not       |Not       |None  |None        |
|                 |      |          |applicable|vulnerable|      |            |
+-----------------+------+----------+----------+----------+------+------------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this issue, you can disable crypto hardware acceleration. To do so,
perform the following procedure:

Note: Disabling hardware-based crypto acceleration results in all crypto
actions processed in software, which may cause higher CPU and memory usage
based on traffic patterns.

Impact of workaround: The impact of the suggested workaround depends on the
specific environment. F5 recommends testing any such changes during a
maintenance window with consideration to the possible impact on your specific
environment.

 1. Log in to the TMOS Shell (tmsh) by entering the following command:

    tmsh

 2. Disable crypto hardware acceleration by entering the following command:

    modify /sys db crypto.hwacceleration value disable

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K32121038:BIG-IP mcpd vulnerability CVE-2020-5876 

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 18 Jun, 2020

Security Advisory Description

A race condition exists where mcpd and other processes may make unencrypted
connection attempts to a new configuration sync peer. The race condition can
occur when changing the ConfigSync IP address of a peer, adding a new peer, or
when the Traffic Management Microkernel (TMM) first starts up. (CVE-2020-5876)

Impact

The race condition gives a small window of opportunity for an attacker to
takeover the connection and spoof a trusted peer device to extract and/or
modify sensitive information on the system. This vulnerability is only present
when the BIG-IP system is configured as part of a ConfigSync high availability
(HA) device group.

Security Advisory Status

F5 Product Development has assigned ID 811849 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.1.0    |          |      |          |
|                   |      |15.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.0.0 -  |14.1.2.4^2|          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, FPS,|13.x  |13.1.0 -  |None      |High      |8.1   |mcpd      |
|GTM, Link          |      |13.1.3    |          |          |      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |12.1.0 -  |12.1.5.1  |          |      |          |
|                   |      |12.1.5    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |11.6.1 -  |11.6.5.2  |          |      |          |
|                   |      |11.6.5    |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

^2BIG-IP 14.1.2.4 is not a supported release; please use a later release. Refer
to K5903: BIG-IP software support policy.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K33572148:The BIG-IP ASM system may fail to mask a configured sensitive parameter in the Referer header value

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

The BIG-IP ASM system may fail to mask a configured sensitive parameter in the
Referer header value.

This issue occurs when all of the following conditions are met:

  o You configured a sensitive parameter located in Security > Application
    Security > Parameters > Sensitive Parameters for a security policy.
  o The virtual server associated with the security policy receives a request
    containing the configured sensitive parameter in its query string.

Impact

The BIG-IP ASM system does not mask the configured sensitive parameter in a
redirected request, and the request exposes the value of the sensitive
parameter in the Referer HTTP header.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o When a client request with a configured sensitive parameter, for example, 
    param, is received: 

    /users/testuser/crsf/1.phpparam=asd

    And the request is then redirected with the URI as part of the Referer
    header, the value of the sensitive parameter, param, is unmasked:

    GET /index.phpparam=123 HTTP/1.1
    Connection: keep-alive
    X-Forwarded-For: 192.168.5.1
    Referer: http://192.168.198.27/users/testuser/crsf/1.phpparam=asd
    Host: 192.168.198.27
    User-Agent: Apache-HttpClient/4.2.6 (java 1.5)

Security Advisory Status

F5 Product Development has assigned ID 681010 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |None             |None                                    |
+------------------+-----------------+----------------------------------------+
|Point release/    |15.1.0.2         |K9502: BIG-IP hotfix and point release  |
|hotfix            |15.0.1.3         |matrix                                  |
|                  |14.1.2.4         |                                        |
+------------------+-----------------+----------------------------------------+

Security Advisory Recommended Actions

Workaround

There is no workaround prior to BIG-IP 14.0.0. To work around this issue in
BIG-IP 14.0.0 and later, you can enable the Mask Value in Logs setting for the
Referer HTTP header in the affected security policy. To do so, perform the
following procedure:

Impact of workaround: Enabling this setting masks the value of the Referer
header in all requests, as well as all logs, regardless of whether there is
sensitive information in it or not. Depending on your application environment,
this may have an impact, especially when troubleshooting application issues.

 1. Log in to the Configuration utility.
 2. Go to Security > Application Security > Headers > HTTP Headers.
 3. For Currently edited policy, select the policy you want to modify.
 4. For HTTP Headers, select referer.
 5. For Mask Value in Logs, select the Enable check box.
 6. Select Update.
 7. Select Apply Policy.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K52154401: Masking data in the BIG-IP ASM request log


- --------------------------------------------------------------------------------


K10701310:BIG-IP may not detect invalid Transfer-Encoding headers

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 15 Sep, 2020

Security Advisory Description

This issue occurs when the conditions are met based on the BIG-IP module
provisioned and the affected version listed in the following table.

+-------+------------------------------------------------------------+--------+
|Product|Conditions that trigger the issue                           |Affected|
|(s)    |                                                            |versions|
+-------+------------------------------------------------------------+--------+
|       |For versions prior to 15.1.0, the implementation for        |        |
|       |enforcing RFC compliance for the HTTP protocol is not       |        |
|       |per-profile, it is global for all HTTP profiles by enabling |        |
|       |the Tmm.HTTP.RFC.Enforcement system database variable. When |        |
|       |the database variable is enabled, the BIG-IP system is not  |        |
|BIG-IP |caught by the protocol compliance checks.                   |14.1.2.3|
|LTM    |                                                            |12.1.5.1|
|       |Important: If either HTTP PSM or ASM are configured on a    |        |
|       |virtual server, the state of the tmm.http.rfc.enforcement   |        |
|       |variable or the "Enforce RFC Compliance" check box (15.1.0+)|        |
|       |is ignored on that virtual server. Requests will be allowed |        |
|       |or blocked based on the configured ASM or PSM policy.       |        |
+-------+------------------------------------------------------------+--------+
|BIG-IP |                                                            |        |
|AAM,   |These products inherit HTTP features from BIG-IP LTM.       |14.1.2.3|
|APM,   |                                                            |12.1.5.1|
|PEM    |                                                            |        |
+-------+------------------------------------------------------------+--------+
|       |                                                            |15.0.1  |
|       |                                                            |15.0.0  |
|BIG-IP |The HTTP protocol security feature is configured and        |14.1.2  |
|AFM    |associated to a virtual server.                             |14.1.0  |
|       |                                                            |13.1.x  |
|       |                                                            |12.1.x  |
|       |                                                            |11.6.x  |
+-------+------------------------------------------------------------+--------+

Impact

BIG-IP LTM, AAM, APM, and PEM may not drop invalid traffic as expected.

BIG-IP AFM may not block or alarm invalid traffic as expected.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o Detection of invalid Transfer-Encoding headers may not work as expected.

Security Advisory Status

F5 Product Development has assigned ID 831325 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |15.1.0           |K2200: Most recent versions of F5       |
|                  |                 |software                                |
+------------------+-----------------+----------------------------------------+
|Point release/    |15.0.1.1         |K9502: BIG-IP hotfix and point release  |
|hotfix            |14.1.2.4^1       |matrix                                  |
+------------------+-----------------+----------------------------------------+

^1BIG-IP 14.1.2.4 is not a supported release; please use a later release. Refer
to K5903: BIG-IP software support policy.

Security Advisory Recommended Actions

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
    systems (11.4.x and later)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K43404365:BIG-IP APM logs may contain random data after the APM session ID

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

The BIG-IP APM system may log random data after the APM session ID in the /var/
log/apm logs. An additional 24 bytes of random information may be logged after
the APM session ID. This issue occurs when the following condition is met:

  o You use the ACCESS::log command in an iRule associated with the BIG-IP APM
    virtual server.

    For more information on the ACCESS::log command, refer to Clouddocs
    Access::log.

Impact

The characters logged after the APM session ID may leak random information.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o You observe random information logged in the /var/log/apm file, after the
    APM session ID, similar to the following example:

    notice tmm[20234]: 0149ffff:5: /Common/example-VS:45e70a52  <random
    characters> virtual=/Common/example-VS

Security Advisory Status

F5 Product Development has assigned ID 788593 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |15.1.0           |K2200: Most recent versions of F5       |
|                  |                 |software                                |
+------------------+-----------------+----------------------------------------+
|Point release/    |15.0.1.3         |K9502: BIG-IP hotfix and point release  |
|hotfix            |14.1.2.4         |matrix                                  |
+------------------+-----------------+----------------------------------------+

Security Advisory Recommended Actions

Workaround

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------

K25165813: BIG-IP SSL connection Alert Timeout security exposure

Original Publication Date: 30 Apr, 2020
Latest   Publication Date: 17 Dec, 2020

Security Advisory Description

The mitigation for K41515225: BIG-IP SSL connection security exposure may not
work in all conditions.

If after applying the workaround in K41515225: BIG-IP SSL connection security
exposure, setting the Alert Timeout to its minimum value of 1 second, you
continue to experience the same issue (spike in network throughput and increase
resource usage), it may be due to the issue described in this article. This is
most commonly seen in extremely high bandwidth networks, as the remote host can
send a large amount of data to the BIG-IP system within the 1 second minimum
value of the Alert Timeout.

This issue occurs when all of the following conditions are met:

  o You configure a virtual server with Client SSL and Server SSL profiles.
  o The virtual server proxies an SSL connection.
  o One side of the SSL connection sends a FIN midstream to the BIG-IP system.
  o You performed the workaround described in K41515225: BIG-IP SSL connection
    security exposure and set the Alert Timeout value to its minimum value of 1
    second.

Impact

The BIG-IP system is capable of receiving, acknowledging, and dropping traffic
at extremely high bandwidths, and since the connection is no longer
bandwidth-limited by the original client, you may observe a spike in throughput
between the peer and the BIG-IP system. It is possible, depending on the
peer-side network, that this spike in throughput can exhaust available network
bandwidth between the BIG-IP system and the peer, even when the Alert Timeout
is set at the minimum value of 1 second.

Symptoms

As a result of this issue, you may encounter one or more of the following
symptoms:

  o You view increased network throughput between the peer and the BIG-IP
    system.
  o Connections on the peer system remain open indefinitely until the remote
    host completes transmitting data to the BIG-IP system.

Security Advisory Status

F5 Product Development has assigned ID 750278 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |15.1.0^1         |K2200: Most recent versions of F5       |
|                  |                 |software                                |
+------------------+-----------------+----------------------------------------+
|Point release/    |15.0.1.3^1       |K9502: BIG-IP hotfix and point release  |
|hotfix            |14.1.3.1^1       |matrix                                  |
+------------------+-----------------+----------------------------------------+

^1In this fix, after you upgrade to a software version listed in the Fixes
Introduced In column, the SSL Alert Timeout option now supports the Immediate 
value, which makes the BIG-IP system reset both client and server side flows
after 1/1000 second. You need to configure your Server SSL profile and set the
SSL Alert Timeout to Immediate.

Security Advisory Recommended Actions

Workaround

There is no workaround for this issue. You need to upgrade your BIG-IP system
to a software version listed in the Fixes Introduced In column and configure
the SSL Alert Timeout setting to Immediate, which makes the BIG-IP system reset
both client and server side flows after 1/1000 second. Reducing the Alert
Timeout value will directly affect the amount of data transferred after the
original FIN is received. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a
negative impact on your system.

 1. Log in to the Configuration utility.
 2. Go to Local Traffic > Profiles > SSL > Server SSL.
 3. Select the name of the profile associated with the virtual server.
 4. Next to Configuration, select Advanced.
 5. For Alert Timeout, select Immediate.
 6. Click Update.
    New SSL connections to the virtual server will use the new setting.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------------------------------------------------------------


K72540690:BIG-IP high availability state mirroring vulnerability CVE-2020-5884

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

The default deployment mode for BIG-IP high availability (HA) pair mirroring is
insecure. This is a control plane issue that is exposed only on the network
used for mirroring. (CVE-2020-5884)

Impact

On-path attackers may be able to read and modify data in transit. Depending on
the deployment, this may include state mirroring messages, client connection
details, client data packets, and/or client persistence data.

Security Advisory Status

F5 Product Development has assigned ID 825449 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |None      |          |      |          |
|                   |      |15.1.0    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.1.0 -  |None      |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, FPS,|13.x  |13.1.0 -  |None      |Medium    |6.5   |BIG-IP HA |
|GTM, Link          |      |13.1.3    |          |          |      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |12.1.0 -  |None      |          |      |          |
|                   |      |12.1.5    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |11.6.1 -  |None      |          |      |          |
|                   |      |11.6.5    |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

F5 will not develop a fix for vulnerable products that do not already have a
fixed version listed in this article, and will not update this table with
subsequent vulnerable releases in the associated branches. F5 recommends that
you update to more recent, non-vulnerable versions whenever feasible. For more
information, refer to K4602: Overview of the F5 security vulnerability response
policy.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can enable the statemirror.secure database
variable protect the VLAN used for mirroring from untrusted entities. To do so,
perform one of the following procedures:

  o Enabling the statemirror.secure database variable
  o Protecting the VLAN used for mirroring from untrusted entities

Enabling the statemirror.secure database variable

To enable the statemirror.secure database variable, perform the following
procedure:

Impact of action: Performing the following procedure should not have a negative
impact on your system.

 1. Log in to the TMOS Shell (tmsh) by entering the following command:

    tmsh

 2. To enable the statemirror.secure database variable, enter the following
    command:

    modify /sys db statemirror.secure value enable

Protecting the VLAN used for mirroring from untrusted entities

To prevent on-path attackers from exploiting this vulnerability, you can set up
a direct connection between the BIG-IP HA systems.

To reduce the risk of this vulnerability, you can also protect the VLAN used
for mirroring from untrusted entities. For more information, refer to the
Mirroring recommendations section of K14135: Defining network resources for
BIG-IP HA features (11.x - 15.x) and the Recommendations section of K84303332:
Overview of connection and persistence mirroring (13.x - 15.x).

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K03318649:BIG-IP QKView vulnerability CVE-2020-5890

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 02 Jul, 2020

Security Advisory Description

When creating a QKView, credentials for binding to LDAP servers used for remote
authentication of the BIG-IP administrative interface will not fully obfuscate
if they contain whitespace. (CVE-2020-5890)

Impact

The BIG-IP system may disclose sensitive information used for authentication
with Lightweight Directory Access Protocol (LDAP) servers to an unprivileged
user.

Security Advisory Status

F5 Product Development has assigned ID 823893 (BIG-IP), ID 836497 (BIG-IQ) to
this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.1.0.2  |          |      |          |
|                   |      |15.1.0    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.0.0 -  |14.1.2.5  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, FPS,|13.x  |13.1.0 -  |13.1.3.4  |Low       |3.3   |QKView    |
|GTM, Link          |      |13.1.3    |          |          |      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |12.1.0 -  |12.1.5.2  |          |      |          |
|                   |      |12.1.5    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |7.0.0     |None      |          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |6.0.0 -   |None      |          |      |          |
|Management         |      |6.1.0     |          |Low       |3.3   |QKView    |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |5.2.0 -   |None      |          |      |          |
|                   |      |5.4.0     |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K15106: Managing BIG-IQ product hotfixes
  o K15113: BIG-IQ hotfix and point release matrix
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems

- --------------------------------------------------------------------------------


K03386032:BIG-IP VE interface vulnerability CVE-2020-5881

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

When the BIG-IP Virtual Edition (VE) is configured with VLAN groups and there
are devices configured with OSPF connected to it, the Network Device
Abstraction Layer (NDAL) Interfaces can lock up and in turn disrupting the
communication between the mcpd and tmm processes (CVE-2020-5881).

Impact

This issue only affects BIG-IP VE. The BIG-IP system temporarily fails to
process traffic as it recovers from a Traffic Management Microkernel (TMM)
 restart, and devices configured in a device group may fail over.

Security Advisory Status

F5 Product Development has assigned ID 789921 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.1.0.2  |          |      |          |
|                   |      |15.1.0    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.0.0 -  |14.1.2.4  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, FPS,|13.x  |13.1.0 -  |None      |Medium    |5.3   |TMM       |
|GTM, Link          |      |13.1.3    |          |          |      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K72423000:The BIG-IP AFM ACL and IPI features may not function as designed

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

This issue occurs when all of the following conditions are met:

  o You have provisioned and configured the BIG-IP AFM module.
  o Your system has active TCP mitigations.

Impact

Some BIG-IP AFM features like access control lists (ACLs) and IP Intelligence
(IPI) are not functional.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o Under certain conditions, ACLs, IPI, and other BIG-IP AFM features may not
    function as designed.

Security Advisory Status

F5 Product Development has assigned ID 778869 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |15.1.0           |K2200: Most recent versions of F5       |
|                  |                 |software                                |
+------------------+-----------------+----------------------------------------+
|Point release/    |14.1.2.4         |K9502: BIG-IP hotfix and point release  |
|hotfix            |14.0.1.1         |matrix                                  |
|                  |13.1.3.2         |                                        |
+------------------+-----------------+----------------------------------------+

Security Advisory Recommended Actions

Workaround

You can avoid this issue by disabling the active TCP mitigations for the
TCP-half-open vector.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------

K65720640:BIG-IP SSL state mirroring vulnerability CVE-2020-5886 

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 02 Jul, 2020

Security Advisory Description

BIG-IP systems setup for connection mirroring in a High Availability (HA) pair
transfers sensitive cryptographic objects over an insecure communications
channel. This is a control plane issue which is exposed only on the network
used for connection mirroring. (CVE-2020-5886)

Impact

On-path attackers may be able to read and modify the Diffie-Hellman (DH)
parameters used by data plane SSL/TLS enabled virtual servers. Only HA pairs
with session mirroring or connection mirroring enabled are vulnerable.

Security Advisory Status

F5 Product Development has assigned ID 829121 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.1.0.2  |          |      |          |
|                   |      |15.1.0    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.1.0 -  |14.1.2.5  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, FPS,|13.x  |13.1.0 -  |13.1.3.4  |Medium    |4.8   |BIG-IP HA |
|GTM, Link          |      |13.1.3    |          |          |      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |12.1.0 -  |12.1.5.2  |          |      |          |
|                   |      |12.1.5    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can enable the statemirror.secure database
variable to protect the VLAN used for mirroring from untrusted entities. To do
so, perform one of the following procedures:

  o Enabling the statemirror.secure database variable
  o Protecting the VLAN used for mirroring from untrusted entities

Enabling the statemirror.secure database variable

Impact of action: Performing the following procedure should not have a negative
impact on your system.

 1. Log in to the TMOS Shell (tmsh) by entering the following command:

    tmsh

 2. To enable the statemirror.secure database variable, enter the following
    command:

    modify /sys db statemirror.secure value enable

Protecting the VLAN used for mirroring from untrusted entities

To prevent on-path attackers from exploiting this vulnerability, you can set up
a direct connection between the BIG-IP HA systems.

To reduce the risk of the vulnerability, you can also protect the VLAN used for
mirroring from untrusted entities. For more information, refer to the Mirroring
recommendations section of K14135: Defining network resources for BIG-IP HA
features (11.x - 15.x) and the Recommendations section of K84303332: Overview
of connection and persistence mirroring (13.x - 15.x).

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------------------------------------------------------------


K73274382:BIG-IP Virtual Edition TMM vulnerability CVE-2020-5888

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

BIG-IP Virtual Edition (VE) may expose a mechanism for adjacent network (layer
2) attackers to access local daemons and bypass port lockdown settings. (
CVE-2020-5888)

Impact

Hosts in adjacent networks may be able to bypass port lockdown settings on
BIG-IP VE hosts.

Security Advisory Status

F5 Product Development has assigned ID ID832021 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |      |15.1.0    |15.1.0.2  |          |      |          |
|                   |15.x  |15.0.0 -  |15.0.1.3  |          |      |          |
|                   |      |15.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.1.0 -  |14.1.2.4  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |TMM in    |
|AFM, Analytics,    +------+----------+----------+          |      |Virtual   |
|APM, ASM, DNS, FPS,|13.x  |None      |Not       |Medium    |5.4   |Edition   |
|GTM, Link          |      |          |applicable|          |      |BIGIP     |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can limit access to the local IPv6 F5
addresses using the following two methods:

  o Creating a packet filter rule to limit access to IPv6 address fc00:f5::1
  o Creating a BIG-IP AFM rule to limit access to IPv6 address fc00:f5::1

Creating a packet filter rule to limit access to IPv6 address fc00:f5::1

To create a packet filter rule, perform the following procedure:

 1. Log in to the BIG-IP Configuration utility.
 2. Navigate to Network > Packet Filters > Rules.
 3. Select the Create button.
 4. In the Name text box, enter the following content: 

    limit-access-to-fc00-f5-1-ipv6-rule

 5. For Order, select Last.
 6. For Action, select Discard.
 7. For Filter Expression Method, select Enter Expression Text.
 8. In the Filter Expression text box, enter the following content:

    ( ( ip6 )  ) and ( dst host fc00:f5::1 )

 9. Select the Finished button.

Creating a BIG-IP AFM rule to limit access to IPv6 address fc00:f5::1

Note: To mitigate this issue, BIG-IP AFM must be licensed and provisioned.

If no BIG-IP AFM policies exist, you must first create a policy using the name
of your choice and apply it to the global BIG-IP AFM context, detailed in steps
1 through 8. Otherwise, skip steps 1 through 8 and proceed with step 9 after
you log in to the BIG-IP Configuration utility:

 1. Log in to the BIG-IP Configuration utility.
 2. Navigate to Security > Network Firewall > Policies.
 3. Select the Create button and enter a policy name.
 4. Select Finished.
 5. Select the Active Rules tab.
 6. Select the Global link under Active Rules List.
 7. Under the Network Firewall section, change Enforcement to Enabled and
    select the policy name that you created.
 8. Click Update.
 9. Navigate to Security > Network Firewall > Policies.
10. Select your policy, and then select the Add Rule button.
11. In the Rule fields, add the following from defaults:

    Name: limit-access-to-fc00-f5-1-ipv6-afm-rule

    Protocol: Any

    Destination: fc00:f5::1 (Click the Add button after entering)

    Action: Drop

12. Select the Done Editing button.
13. To activate the new rule, select the Commit Changes to System button.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K54200228:BIG-IP iRules vulnerability CVE-2020-5877 

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 18 Jun, 2020

Security Advisory Description

Malformed input to the DATAGRAM::tcp iRules command within a FLOW_INIT event
may lead to a denial of service. (CVE-2020-5877) 

Impact

Remote attackers may be able to perform a denial-of-service (DoS) attack on the
BIG-IP system.

Security Advisory Status

F5 Product Development has assigned ID 830401 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |      |15.1.0    |          |          |      |          |
|                   |15.x  |15.0.0 -  |15.1.0.2  |          |      |          |
|                   |      |15.0.0    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.0.0 -  |14.1.2.5  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, FPS,|13.x  |13.1.0 -  |None      |High      |7.5   |iRules    |
|GTM, Link          |      |13.1.3    |          |          |      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |12.1.0 -  |None      |          |      |          |
|                   |      |12.1.5    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |11.6.1 -  |11.6.5.2  |          |      |          |
|                   |      |11.6.5    |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K94325657:BIG-IP restjavad vulnerability CVE-2020-5880

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

The restjavad process may expose a way for attackers to upload arbitrary files
on the BIG-IP system, bypassing the authorization system. Resulting error
messages may also reveal internal paths of the server. (CVE-2020-5880)

Impact

A remote attacker may be able to fill the disk storage and make the BIG-IP host
inoperable.

Security Advisory Status

F5 Product Development has assigned ID 775833 (BIG-IP)  to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.1.0    |          |      |          |
|                   |      |15.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.0.0 -  |14.1.2.4  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, FPS,|13.x  |None      |Not       |Medium    |6.5   |restjavad |
|GTM, Link          |      |          |applicable|          |      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

There is scope for mitigation through employing standard best security
practices by limiting access to the Configuration utility to known IP addresses
and allowing access to to Configuration utility to trusted users only. For more
information, refer to K13092: Overview of securing access to the BIG-IP system.

Acknowledgements

F5 would like to acknowledge Ismael Goncalves for bringing this issue to our
attention, and for following the highest standards of responsible disclosure.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K65372933:BIG-IP HTTP/2 vulnerability CVE-2020-5875

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

Under certain conditions, the Traffic Management Microkernel (TMM) may generate
a core file and restart while processing SSL traffic with an HTTP/2 full proxy.
(CVE-2020-5875)

Impact

If you have enabled HTTP/2, Message Routing Framework (MRF), and SSL, a certain
request sequence can trigger a condition that may cause TMM to generate a core
file and restart. An attacker may be able to cause a BIG-IP system to produce a
core file, disrupting the flow of traffic and causing a failover to a standby
system.

Security Advisory Status

F5 Product Development has assigned ID 802261 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.1.0    |          |      |          |
|                   |      |15.0.1    |15.0.1.1  |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.1.0 -  |14.1.2.4  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |virtual   |
|AFM, Analytics,    +------+----------+----------+          |      |servers   |
|APM, ASM, DNS, FPS,|13.x  |None      |Not       |High      |7.5   |(HTTP MRF |
|GTM, Link          |      |          |applicable|          |      |Router    |
|Controller, PEM)   +------+----------+----------+          |      |option)   |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents


- --------------------------------------------------------------------------------


K24415506:BIG-IP APM portal access reflected XSS vulnerability CVE-2020-5889 

Security Advisory

Original Publication Date: 30 Apr, 2020

Security Advisory Description

In BIG-IP APM portal access, a specially crafted HTTP request can lead to
reflected XSS after the BIG-IP APM system rewrites the HTTP response from the
untrusted backend server and sends it to the client. (CVE-2020-5889)

Impact

An attacker can craft a malicious URL and send it to a victim to launch a
cross-site scripting (XSS) attack.

Security Advisory Status

F5 Product Development has assigned IDs 864109 and 873469 (BIG-IP) to this
vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |      |15.1.0    |15.1.0.2  |          |      |          |
|                   |15.x  |15.0.0 -  |15.0.1.3  |          |      |          |
|                   |      |15.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.0.0 -  |14.1.2.4  |          |      |          |
|                   |      |14.1.2    |          |          |      |          |
|                   +------+----------+----------+          |      |BIG-IP APM|
|BIG-IP (APM)       |13.x  |None      |Not       |Medium    |4.9   |portal    |
|                   |      |          |applicable|          |      |access    |
|                   +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |None      |Not       |          |      |          |
|BIG-IP (LTM, AAM,  |      |          |applicable|          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|ASM, DNS, FPS, GTM,|13.x  |None      |Not       |Not       |None  |None      |
|Link Controller,   |      |          |applicable|vulnerable|      |          |
|PEM)               +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can associate an iRule to the affected
BIG-IP APM virtual server. For more information about the iRule, contact F5
Support.

Acknowledgements

F5 would like to acknowledge Sai Mamidala of the Financial Industry Regulatory
Authority (FINRA) for bringing this issue to our attention and for following
the highest standards of responsible disclosure.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- -----------------------------------------------------------------------------


K43404365:BIG-IP APM logs may contain random data after the APM session ID

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 14 May, 2020

Security Advisory Description

The BIG-IP APM system may log random data after the APM session ID in the /var/
log/apm logs. An additional 24 bytes of random information may be logged after
the APM session ID. This issue occurs when the following condition is met:

  o You use the ACCESS::log command in an iRule associated with the BIG-IP APM
    virtual server.

    For more information on the ACCESS::log command, refer to Clouddocs
    Access::log.

Impact

The characters logged after the APM session ID may leak random information.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o You observe random information logged in the /var/log/apm file, after the
    APM session ID, similar to the following example:

    notice tmm[20234]: 0149ffff:5: /Common/example-VS:45e70a52  <random
    characters> virtual=/Common/example-VS

Security Advisory Status

F5 Product Development has assigned ID 788593 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |15.1.0           |K2200: Most recent versions of F5       |
|                  |                 |software                                |
+------------------+-----------------+----------------------------------------+
|Point release/    |15.0.1.3         |K9502: BIG-IP hotfix and point release  |
|hotfix            |14.1.2.4^1       |matrix                                  |
+------------------+-----------------+----------------------------------------+

^1 BIG-IP 14.1.2.4 is not a supported release; please use a later release.
Refer to K5903: BIG-IP software support policy.

Security Advisory Recommended Actions

Workaround

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- ------------------------------------------------------------------------------


K63558580:BIG-IP crypto driver vulnerability CVE-2020-5872

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 14 May, 2020

Security Advisory Description

When processing TLS traffic with hardware cryptographic acceleration enabled on
platforms with Intel QAT hardware, the Traffic Management Microkernel (TMM) may
stop responding and cause a failover event. (CVE-2020-5872)

Impact

Hardware cryptographic acceleration fails and TMM may stop responding, which
causes a failover event if the BIG-IP system is configured as part of a device
group. This vulnerability applies to the following platforms:

  o i4600, i4800, YK i4000
  o i5600, i5800, HRC-i5000, HRC-i5800, i5820-DF
  o i7600, i7800, i7000-D, i7820-DF
  o i10600, i10800, i10000-D, HRC-i10800
  o i11600, i11800, i11000-DS, i11000-D
  o i15600, i15800, i15000-N
  o VIPRION B4400N blade

Security Advisory Status

F5 Product Development has assigned ID 762453 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.

+-----------------+------+----------+----------+----------+------+------------+
|                 |      |Versions  |Fixes     |          |CVSSv3|Vulnerable  |
|Product          |Branch|known to  |introduced|Severity  |score^|component or|
|                 |      |be        |in        |          |1     |feature     |
|                 |      |vulnerable|          |          |      |            |
+-----------------+------+----------+----------+----------+------+------------+
|                 |15.x  |None      |15.0.0    |          |      |            |
|                 +------+----------+----------+          |      |            |
|                 |      |14.1.0 -  |          |          |      |            |
|                 |14.x  |14.1.2    |14.1.2.4^2|          |      |            |
|                 |      |14.0.0 -  |14.0.1.1  |          |      |            |
|BIG-IP (LTM, AAM,|      |14.0.1    |          |          |      |            |
|AFM, Analytics,  +------+----------+----------+          |      |SSL Profiles|
|APM, ASM, DNS,   |13.x  |13.1.0 -  |13.1.3.2  |High      |7.5   |- Hardware  |
|FPS, GTM, Link   |      |13.1.3    |          |          |      |acceleration|
|Controller, PEM) +------+----------+----------+          |      |            |
|                 |12.x  |12.1.0 -  |12.1.5    |          |      |            |
|                 |      |12.1.4    |          |          |      |            |
|                 +------+----------+----------+          |      |            |
|                 |11.x  |None      |Not       |          |      |            |
|                 |      |          |applicable|          |      |            |
+-----------------+------+----------+----------+----------+------+------------+
|                 |6.x   |None      |Not       |          |      |            |
|BIG-IQ           |      |          |applicable|Not       |      |            |
|Centralized      +------+----------+----------+vulnerable|None  |None        |
|Management       |5.x   |None      |Not       |          |      |            |
|                 |      |          |applicable|          |      |            |
+-----------------+------+----------+----------+----------+------+------------+
|Traffix SDC      |5.x   |None      |Not       |Not       |None  |None        |
|                 |      |          |applicable|vulnerable|      |            |
+-----------------+------+----------+----------+----------+------+------------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

^2BIG-IP 14.1.2.4 is not a supported release; please use a later release. Refer
to K5903: BIG-IP software support policy.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this issue, you can disable crypto hardware acceleration. To do so,
perform the following procedure:

Note: Disabling hardware-based crypto acceleration results in all crypto
actions processed in software, which may cause higher CPU and memory usage
based on traffic patterns.

Impact of workaround: The impact of the suggested workaround depends on the
specific environment. F5 recommends testing any such changes during a
maintenance window with consideration to the possible impact on your specific
environment.

 1. Log in to the TMOS Shell (tmsh) by entering the following command:

    tmsh

 2. Disable crypto hardware acceleration by entering the following command:

    modify /sys db crypto.hwacceleration value disable

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- ------------------------------------------------------------------------------


K10701310:BIG-IP may not detect invalid Transfer-Encoding headers

Security Advisory

Original Publication Date: 30 Apr, 2020

Latest   Publication Date: 14 May, 2020

Security Advisory Description

This issue occurs when the conditions are met based on the BIG-IP module
provisioned and the affected version listed in the following table.

+-------+------------------------------------------------------------+--------+
|Product|Conditions that trigger the issue                           |Affected|
|(s)    |                                                            |versions|
+-------+------------------------------------------------------------+--------+
|       |For versions prior to 15.1.0, the implementation for        |        |
|       |enforcing RFC compliance for the HTTP protocol is not       |        |
|BIG-IP |per-profile, it is global for all HTTP profiles by enabling |14.1.2.3|
|LTM    |the Tmm.HTTP.RFC.Enforcement system database variable. When |12.1.5.1|
|       |the database variable is enabled, the BIG-IP system is not  |        |
|       |caught by the protocol compliance checks.                   |        |
+-------+------------------------------------------------------------+--------+
|BIG-IP |                                                            |        |
|AAM,   |These products inherit HTTP features from BIG-IP LTM.       |14.1.2.3|
|APM,   |                                                            |12.1.5.1|
|PEM    |                                                            |        |
+-------+------------------------------------------------------------+--------+
|       |                                                            |15.0.1  |
|       |                                                            |15.0.0  |
|BIG-IP |The HTTP protocol security feature is configured and        |14.1.2  |
|AFM    |associated to a virtual server.                             |14.1.0  |
|       |                                                            |13.1.x  |
|       |                                                            |12.1.x  |
|       |                                                            |11.6.x  |
+-------+------------------------------------------------------------+--------+
|       |                                                            |15.0.1  |
|       |                                                            |15.0.0  |
|BIG-IP |An ASM security policy is configured with the enforcement of|14.1.2  |
|ASM    |HTTP protocol RFC compliance.                               |14.1.0  |
|       |                                                            |13.1.x  |
|       |                                                            |12.1.x  |
|       |                                                            |11.6.x  |
+-------+------------------------------------------------------------+--------+

Impact

BIG-IP LTM, AAM, APM, and PEM may not drop invalid traffic as expected.

BIG-IP AFM and ASM may not block or alarm invalid traffic as expected.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o Detection of invalid Transfer-Encoding headers may not work as expected.

Security Advisory Status

F5 Product Development has assigned ID 831325 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |15.1.0           |K2200: Most recent versions of F5       |
|                  |                 |software                                |
+------------------+-----------------+----------------------------------------+
|Point release/    |15.0.1.1         |K9502: BIG-IP hotfix and point release  |
|hotfix            |14.1.2.4^1       |matrix                                  |
+------------------+-----------------+----------------------------------------+

^1 BIG-IP 14.1.2.4 is not a supported release; please use a later release.
Refer to K5903: BIG-IP software support policy.

Security Advisory Recommended Actions

None

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
    systems (11.4.x and later)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYLh0L+NLKJtyKPYoAQh4KQ//aF2HQ0ZuwJ138p35/BSCpIq4qj3L13bn
4k/9LfwpkvAs82RT7mHU/Pb1nAs2JChXzzxLx3rhbrbJn1WEtAnS6GOtHoXh2MxT
j4fqFrL7nl83KCnPTPAEsbQbkJJjggCxv2aSQ71jXwAds1kFw80jrZX1Ltcw0dAe
19y5jUB99ww4X7FKco/eE4vK3oIS0z3ExFTVYoMwL0xOLsSWLyYzlXdo+ogtqEvS
Oaj1d07+gEB7eYSTwNBL9lyjdMHwMFSKvP5f40fa0SJXlcaHM4DUojeGrCSAkLHb
foYyL1HRTQ3p2Hqjjm62sxdPiHqraiR+Eqo5rWER7JmUvh+uz8VEtBTENmDR4yBK
HUI2t9KXJ+kMmuW1oSbezH+oWrPjeLIYWZ5Dqf5s6P61N1mcAOhZ2s0OiGb7QWkc
DzksTKZ/Ike5NwapZRBPxwg/GdNNIGts0kgjXEal1/MG7SLi5XpmJ46P7oDocEkj
nFvYt74lBRTTyQrsme/VWNeYqKMuDbbtl+Y5jR1xueQWAFV+bu6O/l7XaLy0iTRz
TVah81wAkcgjBLRnoQNF5mG2eCRS8zV5X3HqFnoSBkBAEKugVbibawhRTKzccFIT
UsFIbvih+TjHJ3F9g6p/5GeMLUMYf3F3OOnxhe6ffPiRYq6rA/qwApE8v/eo/Fy8
GnnLfJwnU3g=
=dbeR
-----END PGP SIGNATURE-----