Operating System:

[Appliance]

Published:

02 December 2014

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2264
    sol15879: SOAP parser vulnerability CVE-2013-1824 Security Advisory
                              2 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-1824  

Reference:         ESB-2013.1275

Original Bulletin: 
   https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15879.html

- --------------------------BEGIN INCLUDED TEXT--------------------

sol15879: SOAP parser vulnerability CVE-2013-1824 Security Advisory

Original Publication Date: 12/01/2014

Description

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote
attackers to read arbitrary files via a SOAP WSDL file containing an
XML external entity declaration in conjunction with an entity reference,
related to an XML External Entity (XXE) issue in the soap_xmlParseFile
and soap_xmlParseMemory functions. (CVE-2013-1824)

Impact

If a PHP application accepts untrusted SOAP object input remotely from
clients, an attacker could use this flaw for the unauthorized reading of
system files, accessible with the privileges of the PHP application.

Status

F5 Product Development has assigned ID 477313 (BIG-IP), ID 482170 (BIG-IQ),
and ID 482174 (Enterprise Manager) to this vulnerability, and has evaluated
the currently supported releases for potential vulnerability.

To determine if your release is known to be vulnerable, the components
or features that are affected by the vulnerability, and for information
about releases or hotfixes that address the vulnerability, refer to the
following table:

Product		Versions known to be vulnerable		Versions known to be not vulnerable     Vulnerable component or feature

BIG-IP LTM	11.0.0 - 11.4.1*			11.5.0 - 11.6.0				XML parsing
		10.0.0 - 10.2.4*	

BIG-IP AAM	11.4.0 - 11.4.1*			11.5.0 - 11.6.0				XML parsing

BIG-IP AFM	11.3.0 - 11.4.1*			11.5.0 - 11.6.0				XML parsing

BIG-IP		11.0.0 - 11.4.1*			11.5.0 - 11.6.0				XML parsing
Analytics

BIG-IP APM	11.0.0 - 11.4.1*			11.5.0 - 11.6.0				XML parsing
		10.1.0 - 10.2.4*	

BIG-IP ASM	11.0.0 - 11.4.1*			11.5.0 - 11.6.0				XML parsing
		10.0.0 - 10.2.4*	

BIG-IP Edge 	11.0.0 - 11.3.0*			None					XML parsing
Gateway		10.1.0 - 10.2.4*

BIG-IP GTM	11.0.0 - 11.4.1*			11.5.0 - 11.6.0				XML parsing
		10.0.0 - 10.2.4*	

BIG-IP Link 	11.0.0 - 11.4.1*			11.5.0 - 11.6.0				XML parsing
Controller	10.0.0 - 10.2.4*	

BIG-IP PEM	11.3.0 - 11.4.1*			11.5.0 - 11.6.0				XML parsing

BIG-IP PSM	11.0.0 - 11.4.1*			None					XML parsing
		10.0.0 - 10.2.4*	

BIG-IP 		11.0.0 - 11.3.0*			None					XML parsing
WebAccelerator	10.0.0 - 10.2.4*	

BIG-IP WOM	11.0.0 - 11.3.0*			None					XML parsing
		10.0.0 - 10.2.4*	

ARX		None					6.0.0 - 6.4.0				None

Enterprise 	3.0.0 - 3.1.1*				None					XML parsing
Manager		2.1.0 - 2.3.0*	

FirePass	None					7.0.0					None
							6.0.0 - 6.1.0	

BIG-IQ Cloud	4.0.0 - 4.3.0*				4.4.0					XML parsing

BIG-IQ Device	4.2.0 - 4.3.0*				4.4.0					XML parsing

BIG-IQ Security	4.0.0 - 4.3.0*				4.4.0					XML parsing

*Certain product versions contain the affected code; however, those product
versions do not parse untrusted XML input, and are therefore not exploitable.

Recommended Action

If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to
the listed version. If the table does not list any version in the column,
then no upgrade candidate currently exists.

Supplemental Information

    SOL9970: Subscribing to email notifications regarding F5 products
    SOL9957: Creating a custom RSS feed to view new and updated documents
    SOL4602: Overview of the F5 security vulnerability response policy
    SOL4918: Overview of the F5 critical issue hotfix policy
    SOL167: Downloading software and firmware from F5

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVHz/thLndAQH1ShLAQIifhAAju5fhDF4TXP74PpuitGMilgLAVs1ICmn
GQ/aeBc8bN3VNGQ/XyFt9DGf9fqNkD3lQUJHjKTK0zxbHMYuf912vClxUBinzHKM
z/Gy0Rf9I7vy0uYMvsJjQeJf8b2xFEBUhxb0KRuVX8Ib3pwIwO4Nuq0mClhU3B8x
7iJS7qsywX4O2lTqxKM32Muj7bS0TTkBgYiwsOGySnwGPhJThLqHBTHvZ1aruU6l
WC2pdC/g9/Q18GsoarVcqVIQFe9Itdnb+LRN9nUg9OL6s0ePChBR07rtAzl5H/Q6
UsUROgYgPg/pUBW6Uz2E9PurTylwy6XX8AaGWMpe0uQ+qV92ACpuU/p0Pxg+/F57
WjSOMZEUhRkBqkOgWPlVBFQaecBFQjdh5U7xYoYzbWrg5lP3pZxosiw5LbqgXdmK
1uoC7ArvhkupBjmt6v57hZglETfFxxePQNr5gQuwik3LH1MkMZllatIECaXwTWPZ
vjHVB+pb7V7y/NTWPmnS8nXGbO6ma+jzL4qGsNGlSMMum1xAdZWdj/Uy8pqi1aHT
MGtPcHxKIkpuZZn4pJIPXnU/jmzM9fC1hnPEcKR5JVCfVPpf+ad+shldhXuJeIXB
bKEzkWSuQcljT2nwSZotK4EkCPMPrReMh3BootYC08Xm1LsZqAV5kRy61Fyc1tmF
bb3VSTFMY9Y=
=i49K
-----END PGP SIGNATURE-----