ESB-2018.0031 - [Appliance] F5 BIG-IP Products: Denial of service - Remote/unauthenticated - 2018-01-02


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0031
  Final - K51390683: PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
                              2 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5095 CVE-2016-5094 

Reference:         ESB-2017.0119
                   ESB-2016.2728
                   ESB-2016.1514
                   ESB-2016.1510

Original Bulletin: 
   https://support.f5.com/csp/article/K51390683

- --------------------------BEGIN INCLUDED TEXT--------------------

Final - K51390683: PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095

Security Advisory

Original Publication Date: Aug 04, 2016
Updated Date: Dec 27, 2017

The security issue described in this article has been resolved or does not
affect any F5 products. There will be no further updates, unless new
information is discovered.

Security Advisory Description

  o CVE-2016-5094

    Integer overflow in the php_html_entities function in ext/standard/html.c
    in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to
    cause a denial of service or possibly have unspecified other impact by
    triggering a large output string from the htmlspecialchars function.

  o CVE-2016-5095

    Integer overflow in the php_escape_html_entities_ex function in ext/
    standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote
    attackers to cause a denial of service or possibly have unspecified other
    impact by triggering a large output string from a
    FILTER_SANITIZE_FULL_SPECIAL_CHARS filter_var call. NOTE: this
    vulnerability exists because of an incomplete fix for CVE-2016-5094.

Impact

Although BIG-IP and BIG-IQ software contains the vulnerable code, BIG-IP and
BIG-IQ systems do not use the vulnerable code in a way that exposes the
vulnerability in a standard default configuration. When exploited, the PHP
module may encounter an out-of-memory error that affects the Configuration
utility.

Security Advisory Status

F5 Product Development has assigned ID 599285 (BIG-IP) and ID 599562 (BIG-IQ
and F5 iWorkflow) to this vulnerability. Additionally, BIG-IP iHealth may list
Heuristic H608125 on the Diagnostics > Identified > Low screen.

To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:

+---------------+----------------+-----------------+----------+----------------+
|               |Versions known  |Versions known to|          |Vulnerable      |
|Product        |to be vulnerable|be not vulnerable|Severity  |component or    |
|               |                |                 |          |feature         |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |          |                |
|               |                |12.1.2 HF1 -     |          |                |
|               |                |12.1.3           |          |                |
|               |                |11.6.1 HF2 -     |          |                |
|BIG-IP LTM     |12.0.0 - 12.1.2 |11.6.2           |Low       |Configuration   |
|               |11.5.0 - 11.6.1 |11.5.4 HF4 -     |          |utility         |
|               |                |11.5.5           |          |                |
|               |                |11.4.0 - 11.4.1  |          |                |
|               |                |11.2.1           |          |                |
|               |                |10.2.1 - 10.2.4  |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |          |                |
|               |                |12.1.2 HF1 -     |          |                |
|               |                |12.1.3           |          |                |
|BIG-IP AAM     |12.0.0 - 12.1.2 |11.6.1 HF2 -     |Low       |Configuration   |
|               |11.5.0 - 11.6.1 |11.6.2           |          |utility         |
|               |                |11.5.4 HF4 -     |          |                |
|               |                |11.5.5           |          |                |
|               |                |11.4.0 - 11.4.1  |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |          |                |
|               |                |12.1.2 HF1 -     |          |                |
|               |                |12.1.3           |          |                |
|BIG-IP AFM     |12.0.0 - 12.1.2 |11.6.1 HF2 -     |Low       |Configuration   |
|               |11.5.0 - 11.6.1 |11.6.2           |          |utility         |
|               |                |11.5.4 HF4 -     |          |                |
|               |                |11.5.5           |          |                |
|               |                |11.4.0 - 11.4.1  |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |          |                |
|               |                |12.1.2 HF1 -     |          |                |
|               |                |12.1.3           |          |                |
|BIG-IP         |12.0.0 - 12.1.2 |11.6.1 HF2 -     |          |Configuration   |
|Analytics      |11.5.0 - 11.6.1 |11.6.2           |Low       |utility         |
|               |                |11.5.4 HF4 -     |          |                |
|               |                |11.5.5           |          |                |
|               |                |11.4.0 - 11.4.1  |          |                |
|               |                |11.2.1           |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |          |                |
|               |                |12.1.2 HF1 -     |          |                |
|               |                |12.1.3           |          |                |
|               |                |11.6.1 HF2 -     |          |                |
|BIG-IP APM     |12.0.0 - 12.1.2 |11.6.2           |Low       |Configuration   |
|               |11.5.0 - 11.6.1 |11.5.4 HF4 -     |          |utility         |
|               |                |11.5.5           |          |                |
|               |                |11.4.0 - 11.4.1  |          |                |
|               |                |11.2.1           |          |                |
|               |                |10.2.1 - 10.2.4  |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |          |                |
|               |                |12.1.2 HF1 -     |          |                |
|               |                |12.1.3           |          |                |
|               |                |11.6.1 HF2 -     |          |                |
|BIG-IP ASM     |12.0.0 - 12.1.2 |11.6.2           |Low       |Configuration   |
|               |11.5.0 - 11.6.1 |11.5.4 HF4 -     |          |utility         |
|               |                |11.5.5           |          |                |
|               |                |11.4.0 - 11.4.1  |          |                |
|               |                |11.2.1           |          |                |
|               |                |10.2.1 - 10.2.4  |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |          |Configuration   |
|BIG-IP DNS     |12.0.0 - 12.1.2 |12.1.2 HF1 -     |Low       |utility         |
|               |                |12.1.3           |          |                |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP Edge    |None            |11.2.1           |Not       |None            |
|Gateway        |                |10.2.1 - 10.2.4  |vulnerable|                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |11.6.1 HF2 -     |          |                |
|               |                |11.6.2           |          |                |
|               |                |11.5.4 HF4 -     |          |Configuration   |
|BIG-IP GTM     |11.5.0 - 11.6.1 |11.5.5           |Low       |utility         |
|               |                |11.4.0 - 11.4.1  |          |                |
|               |                |11.2.1           |          |                |
|               |                |10.2.1 - 10.2.4  |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |          |                |
|               |                |12.1.2 HF1 -     |          |                |
|               |                |12.1.3           |          |                |
|               |                |11.6.1 HF2 -     |          |                |
|BIG-IP Link    |12.0.0 - 12.1.2 |11.6.2           |Low       |Configuration   |
|Controller     |11.5.0 - 11.6.1 |11.5.4 HF4 -     |          |utility         |
|               |                |11.5.5           |          |                |
|               |                |11.4.0 - 11.4.1  |          |                |
|               |                |11.2.1           |          |                |
|               |                |10.2.1 - 10.2.4  |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |          |                |
|               |                |12.1.2 HF1 -     |          |                |
|               |                |12.1.3           |          |                |
|BIG-IP PEM     |12.0.0 - 12.1.2 |11.6.1 HF2 -     |Low       |Configuration   |
|               |11.5.0 - 11.6.1 |11.6.2           |          |utility         |
|               |                |11.5.4 HF4 -     |          |                |
|               |                |11.5.5           |          |                |
|               |                |11.4.0 - 11.4.1  |          |                |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP PSM     |None            |11.4.0 - 11.4.1  |Not       |None            |
|               |                |10.2.1 - 10.2.4  |vulnerable|                |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP         |None            |11.2.1           |Not       |None            |
|WebAccelerator |                |10.2.1 - 10.2.4  |vulnerable|                |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP WOM     |None            |11.2.1           |Not       |None            |
|               |                |10.2.1 - 10.2.4  |vulnerable|                |
+---------------+----------------+-----------------+----------+----------------+
|ARX            |None            |6.2.0 - 6.4.0    |Not       |None            |
|               |                |                 |vulnerable|                |
+---------------+----------------+-----------------+----------+----------------+
|Enterprise     |None            |3.1.1            |Not       |None            |
|Manager        |                |                 |vulnerable|                |
+---------------+----------------+-----------------+----------+----------------+
|FirePass       |None            |7.0.0            |Not       |None            |
|               |                |                 |vulnerable|                |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud   |4.4.0 - 4.5.0   |4.0.0 - 4.3.0    |Low       |Configuration   |
|               |                |                 |          |utility         |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Device  |4.4.0 - 4.5.0   |4.2.0 - 4.3.0    |Low       |Configuration   |
|               |                |                 |          |utility         |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Security|4.4.0 - 4.5.0   |4.0.0 - 4.3.0    |Low       |Configuration   |
|               |                |                 |          |utility         |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ ADC     |4.5.0           |None             |Low       |Configuration   |
|               |                |                 |          |utility         |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ         |5.0.0           |                 |          |Configuration   |
|Centralized    |4.6.0           |None             |Low       |utility         |
|Management     |                |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud   |                |                 |          |Configuration   |
|and            |1.0.0           |None             |Low       |utility         |
|Orchestration  |                |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|F5 iWorkflow   |2.0.0           |None             |Low       |Configuration   |
|               |                |                 |          |utility         |
+---------------+----------------+-----------------+----------+----------------+
|LineRate       |None            |2.5.0 - 2.6.1    |Not       |None            |
|               |                |                 |vulnerable|                |
+---------------+----------------+-----------------+----------+----------------+
|F5 MobileSafe  |None            |1.0.0            |Not       |None            |
|               |                |                 |vulnerable|                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |          |                |
|               |12.0.0 - 12.1.2 |12.1.2 HF1 -     |          |Configuration   |
|BIG-IP WebSafe |11.6.0 - 11.6.1 |12.1.3           |Low       |utility         |
|               |                |11.6.1 HF2 -     |          |                |
|               |                |11.6.2           |          |                |
+---------------+----------------+-----------------+----------+----------------+
|Traffix SDC    |None            |5.0.0            |Not       |None            |
|               |                |4.0.0 - 4.4.0    |vulnerable|                |
+---------------+----------------+-----------------+----------+----------------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.

To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
.

Mitigation

To mitigate this vulnerability, you should ensure that the PHP memory limit is
not modified and remains in its default value. F5 recommends that you do not
modify the default value for PHP memory limit.

Supplemental Information

  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K167: Downloading software and firmware from F5
  o K13123: Managing BIG-IP product hotfixes (11.x - 13.x)
  o K9502: BIG-IP hotfix matrix
  o K15106: Managing BIG-IQ product hotfixes
  o K15113: BIG-IQ hotfix matrix

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWksQAIx+lLeg9Ub1AQj4+xAAplCL5M7m3+L1L2TgRPlRZYukqNGj0nrs
nYQSWg8Fhj6cdyhvebfrPemo3zG09Xxi6C+0bJbuknhpwmMAia4EY7ua8dAWMqny
Qv5qTi4XMydB+gai7AUoF55gC7FK6+3qnhMcKX0kLepOVDydqub45GBGlnDOSsbU
vncLGYA6BUySuobDaeCeeCT48OtrKePjTTVkUkOlbanLrK8H3jpcHpKeN2TnSZWV
S8vcea6bMyHUrxz0h+VyCRoJnFkYWwVT3rSCHxUrf0XbhiFR9Vi72ZkCwz/OuxqR
MtoqkmAsn6NMULqAwR4fYNa5kk/AHC4SUpHQj6zDYY8+bv2g3JW0smi8dqj0yl1D
7YIMcoCCH/JKxrLAPyWCnJi8woz/v0V3zrzpHbOIN6kNiC7c8TYmlPBiViaH0QeW
FkX7mGf1s2qjmnYS1Ag+k9Z35t+htHthNWue5qZLStoO1ZQN/cO0ngUZJd7M30dX
4O9VxKn+xe4TEgfeluSW/P41B6CFNX7h+HJpYDo52WIOHpT50ZtTlaJ58TF6tHsG
SUgDdl3FD6PdUAhyjTeEIqWE7SPoWIL4Hja4xhdVQhojdj7gn6aQ6dgyjNhJQ8xg
4CubX8u3C9o50AjzGKe4pw3cSVeW1hqbJy0lLfrX0nRi9nyzVWQk/34eRQDLHS7Y
MrPDVppb4eY=
=lHqt
-----END PGP SIGNATURE-----