-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2008.0203                  AUSCERT Advisory

                                [Appliance]
 F5 Networks have released BIG-IP Local Traffic Manager versions 9.4.4 and
           9.4.5 to correct a number of security vulnerabilities
                             19 September 2008
- ---------------------------------------------------------------------------

        AusCERT Advisory Summary
        ------------------------

Product:              BIG-IP Local Traffic Manager
Operating System:     Network Appliance
Impact:               Execute Arbitrary Code/Commands
                      Read-only Data Access
                      Cross-site Scripting
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-0888 CVE-2008-0481 CVE-2007-5135
                      CVE-2008-0265
Member content until: Friday, October 17 2008

Ref:                  ESB-2007.0738

Original Bulletin:    
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes9_4_5.html


OVERVIEW:

       F5 Networks have released BIG-IP Local Traffic Manager versions 
       9.4.4 and 9.4.5 to correct a number of security vulnerabilities.


IMPACT:

       The vendor has confirmed the following vulnerabilities have been
       corrected in these versions:

       "unzip vulnerability CVE-2008-0888" [1]
       "Directory traversal vulnerability CVE-2008-0481" [1]
       "OpenSSL vulnerability CVE-2007-5135" [1]
       "CVE-2008-0265 XSS vulnerability" [1]

       The National Vulnerability Database [2], gives the following 
       information regarding these vulnerabilities:

        o CVE-2008-0888:"The NEEDBITS macro in the inflate_dynamic function 
          in inflate.c for unzip can be invoked using invalid buffers, which 
          allows remote attackers to cause a denial of service (crash) and 
          possibly execute arbitrary code via unknown vectors that trigger a 
          free of uninitialized or previously-freed data." [2]

        o CVE-2008-0481: "Directory traversal vulnerability in 
          RTE_file_browser.asp in Web Wiz Rich Text Editor 4.0 allows 
          remote attackers to list arbitrary directories, and .txt and 
          .zip files, via a .....\\\ in the sub parameter in a save 
          action." [2]

        o CVE-2007-5135: "Off-by-one error in the SSL_get_shared_ciphers 
          function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, 
          might allow remote attackers to execute arbitrary code via a 
          crafted packet that triggers a one-byte buffer underflow. 
          NOTE: this issue was introduced as a result of a fix for 
          CVE-2006-3738. As of 20071012, it is unknown whether code 
          execution is possible." [2]

        o CVE-2008-0265: "Multiple cross-site scripting (XSS) vulnerabilities 
          in the Search function in the web management interface in F5 
          BIG-IP 9.4.3 allow remote attackers to inject arbitrary web script 
          or HTML via the SearchString parameter to (1) list_system.jsp, 
          (2) list_pktfilter.jsp, (3) list_ltm.jsp, (4) resources_audit.jsp, 
          and (5) list_asm.jsp in tmui/Control/jspmap/tmui/system/log/; and 
          (6) list.jsp in certain directories." [2]
      

MITIGATION:

       Applying BIG-IP Local Traffic Manager versions 9.4.4 and 9.4.5 will 
       correct these security vulnerabilities. Please refer to F5 Networks'
       website for instructions.


REFERENCES:

       [1] BIG-IP Local Traffic Manager version 9.4.5 and TMOS
           https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes9_4_5.html

       [2] The National Vulnerability Database
           http://nvd.nist.gov/home.cfm
           


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSNgvEyh9+71yA2DNAQKzpAQAgBx9q/yAx6dg8DDWT35zGPfu+E7Wr3BR
M3ojUT5eYNZX2Uu2kbH5VJQrE5pRE0L2kKGSxEkpqUXw1ye9VSrT7XTnMPLzkkW9
KzHs6QW4sPWQOvuT/HzB9HTGY2rfuSXLXUjoh+TuvpeRGmeBaoNwjuNpQ7Nfb9s4
G+hZgDu2i5w=
=BT3U
-----END PGP SIGNATURE-----