Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0872.2 Advanced WAF/ASM - Multple Vulnerabilities 15 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP Products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Root Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Create Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-23001 CVE-2021-22993 CVE-2021-22992 CVE-2021-22990 CVE-2021-22989 CVE-2021-22988 CVE-2021-22987 CVE-2021-22986 Original Bulletin: https://support.f5.com/csp/article/K45056101 https://support.f5.com/csp/article/K52510511 https://support.f5.com/csp/article/K55237223 https://support.f5.com/csp/article/K06440657 Comment: This bulletin contains four (4) F5 Networks security advisories. Revision History: March 15 2021: Added multiple BIG-IP Products for K52510511 March 11 2021: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K45056101: Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990 Original Publication Date: 11 Mar, 2021 Security Advisory Description On systems with Advanced WAF or BIG-IP ASM provisioned, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. ( CVE-2021-22990) Note: For systems running in Appliance mode, refer to K56142644 Appliance Mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989. Impact This vulnerability allows highly privileged authenticated users with the roles Administrator, Resource Administrator, or Application Security Administrator with network access to the Configuration utility, through the BIG-IP management port or self IP addresses, to execute arbitrary system commands, create and delete files, or disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. Note: If you believe your system may have been compromised, refer to K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system. Security Advisory Status F5 Product Development has assigned ID 953729 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. +-------------+------+-------------+----------+----------+------+-------------+ | | |Versions |Fixes | |CVSSv3|Vulnerable | |Product |Branch|known to be |introduced|Severity |score^|component or | | | |vulnerable |in | |1 |feature | +-------------+------+-------------+----------+----------+------+-------------+ | |16.x |16.0.0 - |16.0.1.1 | | | | | | |16.0.1 | | | | | | +------+-------------+----------+ | | | | |15.x |15.1.0 - |15.1.2.1 | | | | | | |15.1.2 | | | | | | +------+-------------+----------+ | | | | |14.x |14.1.0 - |14.1.4 | | | | |BIG-IP | |14.1.3 | | | |TMUI/ | |(Advanced WAF+------+-------------+----------+Medium |6.6 |Configuration| |and ASM) |13.x |13.1.0 - |13.1.3.6 | | |utility | | | |13.1.3 | | | | | | +------+-------------+----------+ | | | | |12.x |12.1.0 - |12.1.5.3 | | | | | | |12.1.5 | | | | | | +------+-------------+----------+ | | | | |11.x |11.6.1 - |11.6.5.3 | | | | | | |11.6.5 | | | | | +-------------+------+-------------+----------+----------+------+-------------+ | |8.x |None |Not | | | | | | | |applicable| | | | |BIG-IQ +------+-------------+----------+ | | | |Centralized |7.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+-------------+----------+ | | | | |6.x |None |Not | | | | | | | |applicable| | | | +-------------+------+-------------+----------+----------+------+-------------+ |F5OS |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------+------+-------------+----------+----------+------+-------------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------+------+-------------+----------+----------+------+-------------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the table does not list a fixed version for your software branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table). If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix. Refer to K51812227: Understanding security advisory versioning. If you are using public cloud marketplaces (AWS, Azure, GCP, or Alibaba) to deploy BIG-IP Virtual Edition (VE), F5 recommends that you install the latest releases of BIG-IP versions listed in the Fixes introduced in column, subject to their availability on those marketplaces. For more information, refer to the following articles: o BIG-IP VE Supported Platforms o K84205182: BIG-IP upgrade guide | Chapter 1: Guide contents Mitigation As this attack is conducted by legitimate, authenticated users, there is no viable mitigation while still allowing the user access to the Configuration utility. The only mitigation is to remove access for any users who are not completely trusted. Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to the Configuration utility to only trusted networks or devices, thereby limiting the attack surface. o Block Configuration utility access through self IP addresses o Block Configuration utility access through the management interface Block Configuration utility access through self IP addresses You can block all access to the Configuration utility of your BIG-IP system using self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address on the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to the Configuration utility. By default, the Configuration utility listens on TCP port 443. Alternatively, you can configure a custom port. Note: Performing this action prevents all access to the Configuration utility and iControl REST using the self IP address. These changes may also impact other services, including breaking high availability (HA) configurations. Before you make changes to the configuration of your self-IP addresses, F5 strongly recommends that you refer to the following articles: o K17333: Overview of port lockdown behavior (12.x - 16.x) o K13092: Overview of securing access to the BIG-IP system o K31003634: The Configuration utility of the Single-NIC BIG-IP Virtual Edition now defaults to TCP port 8443 o K51358480: The single-NIC BIG-IP VE may erroneously revert to the default management httpd port after a configuration reload Block Configuration utility access through the management interface To mitigate this vulnerability for affected F5 products, you should restrict management access only to trusted users and devices to F5 products over a secure network. For more information about securing access to BIG-IP systems, refer to the following articles: o K13309: Restricting access to the Configuration utility by source IP address (11.x - 16.x) o K13092: Overview of securing access to the BIG-IP system o K46122561: Restricting access to the management interface using network firewall rules Supplemental Information o K02566623: Overview of F5 critical vulnerabilities (March 2021) o K04532512: Frequently asked questions for CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989, and CVE-2021-22990 o K41942608: Overview of security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 16.x) o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------------------------------------------------------------- K52510511: Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 Original Publication Date: 11 Mar, 2021 Latest Publication Date: 13 Mar, 2021 Security Advisory Description A malicious HTTP response to an Advanced WAF/ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise. (CVE-2021-22992) Impact A sophisticated attacker must have control over the back-end web servers (pool members) or the ability to manipulate the server-side HTTP responses to the virtual server to exploit this vulnerability. With this level of back-end control, the attacker may cause the BIG-IP Advanced WAF/ASM system to experience a denial-of-service (DoS). In the worst case, the attacker may execute arbitrary code on the BIG-IP Advanced WAF/ASM system. This vulnerability can only be exploited through the data plane and cannot be exploited through the control plane. Exploitation can lead to complete system compromise. Note: If you believe your system may have been compromised, refer to K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system. Security Advisory Status F5 Product Development has assigned ID 975233 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |16.x |16.0.0 - |16.0.1.1 | | | | | | |16.0.1 | | | | | | +------+----------+----------+ | | | | |15.x |15.1.0 - |15.1.2.1 | | | | | | |15.1.2 | | | | | | +------+----------+----------+ | | | | |14.x |14.1.0 - |14.1.4 | | | | |BIG-IP (Advanced | |14.1.3 | | | |ASM | |WAF and ASM) +------+----------+----------+Critical |9.0 |virtual | | |13.x |13.1.0 - |13.1.3.6 | | |server | | | |13.1.3 | | | | | | +------+----------+----------+ | | | | |12.x |12.1.0 - |12.1.5.3* | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |11.6.5.3 | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ | |16.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |15.x |None |Not | | | | | | | |applicable| | | | |BIG-IP (LTM, AAM, +------+----------+----------+ | | | |AFM, Analytics, |14.x |None |Not | | | | |APM, DDHD, DNS, | | |applicable|Not | | | |FPS, GTM, Link +------+----------+----------+vulnerable|None |None | |Controller, PEM, |13.x |None |Not | | | | |SSLO) | | |applicable| | | | | +------+----------+----------+ | | | | |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ | |8.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IQ Centralized |7.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |6.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |F5OS |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ *An issue with the bigd process has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3. The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the table does not list a fixed version for your software branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table). If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix. Refer to K51812227: Understanding security advisory versioning. If you are using public cloud marketplaces (AWS, Azure, GCP, or Alibaba) to deploy BIG-IP Virtual Edition (VE), F5 recommends that you install the latest releases of BIG-IP versions listed in the Fixes introduced in column, subject to their availability on those marketplaces. For more information, refer to the following articles: o BIG-IP VE Supported Platforms o K84205182: BIG-IP upgrade guide | Chapter 1: Guide contents Mitigation o Mitigate malicious connections using an iRule o Modify Login Page configuration o Harden pool members o Remove Login Pages Mitigate malicious connections using an iRule To mitigate this vulnerability, you can associate the following iRule with the affected virtual servers. The iRule examines the response from the server and returns a 502 error for vulnerable responses. To use the iRule mitigation, perform the following procedure: Impact of workaround: The following mitigation may add additional resource load on the system, depending on the specific environment. F5 recommends that you test any such changes during a maintenance window and consider the possible impact on your environment. 1. Log in to the Configuration utility. 2. Go to Local Traffic > iRules > iRule List. 3. Select Create. 4. Enter a name for the iRule. 5. For Definition, add the following iRule code: # Mitigation for K52510511: Advanced WAF/ASM Buffer Overflow vulnerability CVE-2021-22992 when RULE_INIT { # Set static::debug 1 to enable debug logging. set static::debug 0 set static::max_length 4000 } when HTTP_REQUEST { if {$static::debug}{ set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]" } set uri [string tolower [HTTP::uri]] } when HTTP_RESPONSE { set header_names [HTTP::header names] set combined_header_name [join $header_names ""] set combined_header_name_len [string length $combined_header_name] if {$static::debug}{ log local0. "=================response======================" log local0. "$LogString (response)" log local0. "combined header names: $combined_header_name" foreach aHeader [HTTP::header names] { log local0. "$aHeader: [HTTP::header value $aHeader]" } log local0. "the length of the combined response header names: $combined_header_name_len" log local0. "=============================================" } if { ( $combined_header_name_len > $static::max_length ) } { log local0. "In the response of '$uri', the length of the combined header names $combined_header_name_len exceeds the maximum value $static::max_length. See K52510511: Advanced WAF/ASM Buffer Overflow vulnerability CVE-2021-22992" HTTP::respond 502 content "<HTML><HEAD><TITLE>Bad Gateway</TITLE></HEAD> <BODY><P>The server response is invalid. Please inform the administrator. Error: K52510511</P></BODY></HTML>" } } 6. Select Finished. 7. Associate the iRule with the affected virtual servers. Modify Login Page configuration To mitigate this vulnerability, you may remove the configuration of both of the following settings from the Login Page configuration: o Expected validation header name and value o Not expected validation header name and value To do so, perform the following procedure: 1. Log in to the Configuration utility of the affected BIG-IP Advanced WAF/ASM system. 2. Go to Security > Application Security > Sessions and Logins > Login Pages List. 3. Select the security policy from the Current edited policy list. 4. Select the name of the Login URL from the Login Pages List. 5. Remove all configuration from both the settings. 6. Select Save to save the changes. 7. Select Apply Policy to apply the changes. 8. Select OK to confirm the operation. These two settings should remain empty until the affected BIG-IP Advanced WAF/ ASM system is updated to a version listed in the Fixes introduced in column. Important: You may need to configure alternative Login Page access validation criteria to continue using the Login Page without these set. Harden pool members To mitigate this vulnerability, you can harden your back-end web servers and network to prevent the malicious headers in the HTTP response to the login page from being sent to the BIG-IP Advanced WAF/ASM system. Other attacks against the server, such as CRLF Injection or HTTP Response Splitting, may also be used to manipulate the HTTP response. Use of HTTP protocol compliance can protect against these attacks, refer to K10280: Overview of BIG-IP ASM HTTP protocol compliance. Remove Login Pages Alternatively, you can delete any Login Page configured for a security policy and avoid using the Login Page feature until the affected BIG-IP Advanced WAF/ ASM system is upgraded to a version listed in the Fixes introduced in column. To delete a login page, perform the following procedure: 1. Login to the Configuration utility of the affected BIG-IP ASM system. 2. Go to Security > Application Security > Sessions and Logins > Login Pages List. 3. Select the security policy from the Current edited policy list. 4. Select the login page configuration you want to remove. 5. Select Delete. 6. Select OK to confirm the deletion. 7. Select Apply Policy to apply the changes. 8. Select OK to confirm the operation. Important: Login Page configuration may be critical to the function of the Brute Force Attack Prevention, Login Enforcement, and Session Tracking functions in a security policy. Review your security policy to see if any of these functions require the Login Page configuration before deleting it. Acknowledgements F5 acknowledges Felix Wilhelm of Google Project Zero for bringing this issue to our attention and following the highest standards of coordinated disclosure. Supplemental Information o K02566623: Overview of F5 critical vulnerabilities (March 2021) o K50963210: Frequently asked questions for CVE-2021-22992 o K41942608: Overview of security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 16.x) o K15106: Managing BIG-IQ product hotfixes o K15113: BIG-IQ hotfix and point release matrix o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - ------------------------------------------------------------------------------- K55237223: BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 Original Publication Date: 11 Mar, 2021 Security Advisory Description DOM-based XSS on DoS Profile properties page. (CVE-2021-22993) Impact An attacker can inject a malicious script into the BIG-IP Advanced WAF and ASM Configuration utility and trick users into executing malicious code. Security Advisory Status F5 Product Development has assigned ID 941449 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |16.x |16.0.0 - |16.0.1.1 | | | | | | |16.0.1 | | | | | | +------+----------+----------+ | | | | |15.x |15.1.0 - |15.1.2 | | | | | | |15.1.1 | | | | | | +------+----------+----------+ | | | | |14.x |14.1.0 - |14.1.3.1 | | |BIG-IP ASM| |BIG-IP (Advanced | |14.1.3 | | | |DoS | |WAF, ASM) +------+----------+----------+High |7.5 |Profile | | |13.x |13.1.0 - |13.1.3.6 | | |properties| | | |13.1.3 | | | |page | | +------+----------+----------+ | | | | |12.x |12.1.0 - |12.1.5.3 | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ | |16.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |15.x |None |Not | | | | | | | |applicable| | | | |BIG-IP (LTM, AAM, +------+----------+----------+ | | | |AFM, Analytics, |14.x |None |Not | | | | |APM, DDHD, DNS, | | |applicable|Not | | | |FPS, GTM, Link +------+----------+----------+vulnerable|None |None | |Controller, PEM, |13.x |None |Not | | | | |SSLO) | | |applicable| | | | | +------+----------+----------+ | | | | |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ | |8.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IQ Centralized |7.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |6.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation To mitigate this vulnerability, secure access to the BIG-IP Advanced WAF and ASM systems to ensure that the Configuration utility is accessible only by trusted users. To do so, refer to K13092: Overview of securing access to the BIG-IP system. Supplemental Information o K41942608: Overview of security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 16.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - ---------------------------------------------------------------------------------- K06440657: BIG-IP ASM iControl REST vulnerability CVE-2021-23001 Original Publication Date: 11 Mar, 2021 Security Advisory Description The upload functionality in BIG-IP ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint. (CVE-2021-23001) Impact An unauthenticated malicious user can upload malicious files to use in future attacks, or simply upload large files to fill the BIG-IP system's disk space. Security Advisory Status F5 Product Development has assigned ID 935401 (BIG-IP) and to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |16.x |16.0.0 - |16.0.1.1 | | | | | | |16.0.1 | | | | | | +------+----------+----------+ | | | | |15.x |15.0.0 - |15.1.2.1 | | | | | | |15.1.0 | | | | | | +------+----------+----------+ | | | | |14.x |14.1.0 - |14.1.4 | | |BIG-IP ASM| | | |14.1.2 | | | |file | |BIG-IP (ASM) +------+----------+----------+Medium |4.3 |transfer | | |13.x |13.1.0 - |13.1.3.6 | | |worker | | | |13.1.3 | | | | | | +------+----------+----------+ | | | | |12.x |12.1.0 - |12.1.5.3 | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |11.6.5.3 | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ | |16.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |15.x |None |Not | | | | | | | |applicable| | | | |BIG-IP (LTM, AAM, +------+----------+----------+ | | | |Advanced WAF, AFM, |14.x |None |Not | | | | |Analytics, APM, | | |applicable|Not | | | |DDHD, DNS, FPS, +------+----------+----------+vulnerable|None |None | |GTM, Link |13.x |None |Not | | | | |Controller, PEM, | | |applicable| | | | |SSLO) +------+----------+----------+ | | | | |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ | |8.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IQ Centralized |7.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |6.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None Supplemental Information o K41942608: Overview of security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 16.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYE7o1+NLKJtyKPYoAQhu/Q//eTIxpCaeyb+iPEX4GE93NodmplY8S/R2 1Ftag5Pe//xMxAnD8t+4qAeAQGZtR0gXDq1t2+l+rkQHHZdY6ev6XFLOEBF2B9QU wSzhmNFvky/nacdtYDKJ2z49m8HW0OyfakidrsCzhX+6eYPGgoGajJyLwt9tg5aX fdaHgM07e+5VfeCYBT7Clng5Oqy/z0oFHCfKQU6hj8vDGCZVBb2AAYDhUpRSIU6y 4bMktjNO3rrjXknftqvafYCAsdRkkCHV1uz82MlBz0q9MWzbtq3kJlpwCA3A7DmM Wm5gQcm+0LOWmnq+WAUzukmKajxAGwZFNyVGgNeZgbnUoK9nO4rSE6peNzKF+uZg sJCs3FQ8qRg69wDQDJBTbkQZKlhQdXpyh8CfB5QILpfKKpBBNjBzYFhQq5undFM7 uV3tmWezcpsxMrs+gql15Eam3exKIrgBb9amoJDyt8+TtxIVb5WGRc00J0c0YujR 1NxyXgjLZZu9DcEwyyfxYvKy3NisOTtAWj9ucBsIBf5L5wFwFe3QNjqopfj7ihow P4yRegAjhj1HLyClIOJhPwTwvI5t3de6fmBi3cXGYkuIaG8t6Uwop7lL9UIiHHbj N7SH/V+m8BsNgue66E22KT1UluKWyj3AYccy3zWvxJCGAEuCaTEhcBHvlOuaaaCp U29BqcYAB4U= =/1Wp -----END PGP SIGNATURE-----