Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2790
F5 Security Advisory : Linux kernel vulnerability
(CVE-2015-2830, CVE-2016-5829, CVE-2016-4470, CVE-2015-7872)
2 November 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 Products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Root Compromise -- Existing Account
Denial of Service -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-5829 CVE-2016-4470 CVE-2015-7872
CVE-2015-2830
Reference: ASB-2016.0089
ASB-2016.0017
ESB-2017.0456
ESB-2017.0273
ESB-2016.2602
ESB-2016.2592
ESB-2016.2561
ESB-2016.2551
Original Bulletin:
https://support.f5.com/csp/article/K17462
https://support.f5.com/csp/article/K94105604
https://support.f5.com/csp/article/K55672042
https://support.f5.com/csp/article/K28056114
Comment: This bulletin contains four (4) F5 Networks security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
K17462: Linux kernel vulnerability CVE-2015-2830
Security Advisory
Original Publication Date: Oct 20, 2015
Updated Date: Nov 01, 2017
Applies to (see versions):
o Product: BIG-IQ, BIG-IQ Cloud, BIG-IQ Device, BIG-IQ Security, BIG-IQ ADC,
BIG-IQ Centralized Management
5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0,
4.0.0
o Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM,
BIG-IP ASM, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP GTM, BIG-IP Link
Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP PSM, BIG-IP WebAccelerator,
BIG-IP WOM
13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.3.0, 11.2.1,
11.2.0, 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0
o Product: Enterprise Manager
3.1.1, 3.1.0, 3.0.0
o Product: F5 iWorkflow
2.3.0, 2.2.0, 2.1.0, 2.0.2, 2.0.1, 2.0.0
o Product: LineRate
2.6.2, 2.6.1, 2.6.0, 2.5.3, 2.5.2, 2.5.1, 2.5.0
o Product: ARX, ARX
6.4.0, 6.3.0, 6.2.0, 6.1.1, 6.1.0, 6.0.0
o Product: FirePass
7.0.0, 6.1.0, 6.0.3, 6.0.2, 6.0.1, 6.0.0
o Product: F5 WebSafe
1.0.0
o Product: Traffix SDC
5.1.0, 5.0.0, 4.4.0, 4.1.0, 4.0.5, 4.0.2, 4.0.0, 3.5.1, 3.4.1, 3.3.2
o Product: BIG-IQ Cloud and Orchestration
1.0.0
Security Advisory Description
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent
the TS_COMPAT flag from reaching a user-mode task, which might allow local
users to bypass the seccomp or audit protection mechanism via a crafted
application that uses the (1) fork or (2) close system call, as demonstrated by
an attack against seccomp before 3.16. (CVE-2015-2830)
Impact
An authenticated attacker may be able to cause an escalation of privileges
through a crafted application that uses the fork or close system call.
Security Advisory Status
F5 Product Development has assigned ID 533413 (BIG-IP), ID 542392 (BIG-IQ), and
ID 542393 (Enterprise Manager) to this vulnerability, and has evaluated the
currently supported releases for potential vulnerability. Additionally, BIG-IP
iHealth may list Heuristic H552758 on the Diagnostics > Identified > Low
screen.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
+---------------+----------------+-----------------+----------+----------------+
| |Versions known |Versions known to| |Vulnerable |
|Product |to be vulnerable|be not vulnerable|Severity |component or |
| | | | |feature |
+---------------+----------------+-----------------+----------+----------------+
| |12.0.0 |13.0.0 | | |
| |11.6.0 - 11.6.1 |12.1.0 - 12.1.2 | | |
|BIG-IP LTM |11.0.0 - 11.5.4 |12.0.0 HF1 |Low |Linux kernel |
| |10.1.0 - 10.2.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 |12.1.0 - 12.1.2 | | |
|BIG-IP AAM |11.6.0 - 11.6.1 |12.0.0 HF1 |Low |Linux kernel |
| |11.4.0 - 11.5.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 |12.1.0 - 12.1.2 | | |
|BIG-IP AFM |11.6.0 - 11.6.1 |12.0.0 HF1 |Low |Linux kernel |
| |11.3.0 - 11.5.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
|BIG-IP |12.0.0 |12.1.0 - 12.1.2 | | |
|Analytics |11.6.0 - 11.6.1 |12.0.0 HF1 |Low |Linux kernel |
| |11.0.0 - 11.5.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 |12.1.0 - | | |
|BIG-IP APM |11.6.1 - 11.6.1 |12.1.2 |Low |Linux kernel |
| |11.0.0 - 11.5.4 |12.0.0 HF1 | | |
| |10.1.0 - 10.2.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 |12.1.0 - | | |
|BIG-IP ASM |11.6.1 - 11.6.1 |12.1.2 |Low |Linux kernel |
| |11.0.0 - 11.5.4 |12.0.0 HF1 | | |
| |10.1.0 - 10.2.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
|BIG-IP DNS |12.0.0 |12.1.0 - 12.1.2 |Low |Linux kernel |
| | |12.0.0 HF1 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP Edge |11.0.0 - 11.3.0 |None |Low |Linux kernel |
|Gateway |10.1.0 - 10.2.4 | | | |
+---------------+----------------+-----------------+----------+----------------+
| |11.6.0 - 11.6.1 |11.6.2 | | |
|BIG-IP GTM |11.0.0 - 11.5.4 |11.5.5 |Low |Linux kernel |
| |10.1.0 - 10.2.4 | | | |
+---------------+----------------+-----------------+----------+----------------+
| |12.0.0 |13.0.0 | | |
|BIG-IP Link |11.6.0 - 11.6.1 |12.1.0 - 12.1.2 | | |
|Controller |11.0.0 - 11.5.4 |12.0.0 HF1 |Low |Linux kernel |
| |10.1.0 - 10.2.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 |12.1.0 - 12.1.2 | | |
|BIG-IP PEM |11.6.0 - 11.6.1 |12.0.0 HF1 |Low |Linux kernel |
| |11.3.0 - 11.5.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP PSM |11.0.0 - 11.4.1 |None |Low |Linux kernel |
| |10.1.0 - 10.2.4 | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP |11.0.0 - 11.3.0 |None |Low |Linux kernel |
|WebAccelerator |10.1.0 - 10.2.4 | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP WOM |11.0.0 - 11.3.0 |None |Low |Linux kernel |
| |10.1.0 - 10.2.4 | | | |
+---------------+----------------+-----------------+----------+----------------+
|ARX |None |6.0.0 - 6.4.0 |Not |None |
| | | |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|Enterprise |3.0.0 - 3.1.1 |None |Low |Linux kernel |
|Manager | | | | |
+---------------+----------------+-----------------+----------+----------------+
|FirePass |None |7.0.0 |Not |None |
| | |6.0.0 - 6.1.0 |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud |4.0.0 - 4.5.0 |None |Low |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Device |4.2.0 - 4.5.0 |None |Low |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Security|4.0.0 - 4.5.0 |None |Low |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ ADC |4.5.0 |None |Low |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ |5.0.0 - 5.1.0 | | | |
|Centralized |4.6.0 |5.2.0 - 5.3.0 |Low |Linux kernel |
|Management | | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud | | | | |
|and |1.0.0 |None |Low |Linux kernel |
|Orchestration | | | | |
+---------------+----------------+-----------------+----------+----------------+
|F5 iWorkflow |2.0.0 - 2.0.2 |2.1.0 - 2.3.0 |Low |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|LineRate |None |2.5.0 - 2.6.2 |Not |None |
| | | |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|F5 WebSafe |None |1.0.0 |Not |None |
| | | |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
| | |5.0.0 - 5.1.0 |Not | |
|Traffix SDC |None |4.0.0 - 4.4.0 |vulnerable|None |
| | |3.3.2 - 3.5.1 | | |
+---------------+----------------+-----------------+----------+----------------+
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.
To mitigate this vulnerability for affected F5 products, you should permit
management access to F5 products only over a secure network, and limit shell
access to only trusted users. For more information about securing access to
BIG-IP/Enterprise Manager systems, refer to K13309: Restricting access to the
Configuration utility by source IP address (11.x - 13.x) and K13092: Overview
of securing access to the BIG-IP system.
Supplemental Information
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K4918: Overview of the F5 critical issue hotfix policy
o K167: Downloading software and firmware from F5
o K4602: Overview of the F5 security vulnerability response policy
===============================================================================
K28056114: Linux kernel vulnerability CVE-2016-5829
Security Advisory
Original Publication Date: Oct 22, 2016
Updated Date: Nov 01, 2017
Applies to (see versions):
o Product: BIG-IQ, BIG-IQ Cloud, BIG-IQ Device, BIG-IQ Security, BIG-IQ ADC,
BIG-IQ Centralized Management
5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0,
4.0.0
o Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM,
BIG-IP ASM, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP GTM, BIG-IP Link
Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP PSM, BIG-IP WebAccelerator,
BIG-IP WOM
13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1, 10.2.4,
10.2.3, 10.2.2, 10.2.1
o Product: Enterprise Manager
3.1.1
o Product: F5 iWorkflow
2.3.0, 2.2.0, 2.1.0, 2.0.2, 2.0.1, 2.0.0
o Product: LineRate
2.6.1, 2.6.0, 2.5.2, 2.5.1, 2.5.0
o Product: ARX, ARX
6.4.0, 6.3.0, 6.2.0
o Product: F5 WebSafe
1.0.0
o Product: Traffix SDC
4.4.0, 4.1.0, 4.0.5, 4.0.2, 4.0.0
o Product: BIG-IQ Cloud and Orchestration
1.0.0
Security Advisory Description
Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in
drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users
to cause a denial of service or possibly have unspecified other impact via a
crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. (CVE-2016-5829)
Impact
This vulnerability can allow a local user to corrupt kernel memory, potentially
escalate their privileges, or cause the system to stop responding.
Security Advisory Status
F5 Product Development has assigned IDs 622495 and 622496 (BIG-IP), ID 622257
(BIG-IQ and F5 iWorkflow), ID 622259 (Enterprise Manager), and INSTALLER-2785
(Traffix SDC) to this vulnerability. Additionally, BIG-IP iHealth may list
Heuristic H624273 on the Diagnostics > Identified > Medium screen.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
+---------------+----------------+-----------------+----------+----------------+
| |Versions known |Versions known to| |Vulnerable |
|Product |to be vulnerable|be not vulnerable|Severity |component or |
| | | | |feature |
+---------------+----------------+-----------------+----------+----------------+
| |12.0.0 - 12.1.2 |13.0.0 | | |
|BIG-IP LTM |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel |
| |11.2.1 |11.6.2 | | |
| |10.2.1 - 10.2.4 |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
|BIG-IP AAM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel |
| |11.4.0 - 11.6.1 |11.6.2 | | |
| | |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
|BIG-IP AFM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel |
| |11.4.0 - 11.6.1 |11.6.2 | | |
| | |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
| |12.0.0 - 12.1.2 |13.0.0 | | |
|BIG-IP |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel |
|Analytics |11.2.1 |11.6.2 | | |
| | |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
| |12.0.0 - 12.1.2 |13.0.0 | | |
|BIG-IP APM |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel |
| |11.2.1 |11.6.2 | | |
| |10.2.1 - 10.2.4 |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
| |12.0.0 - 12.1.2 |13.0.0 | | |
|BIG-IP ASM |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel |
| |11.2.1 |11.6.2 | | |
| |10.2.1 - 10.2.4 |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP DNS |12.0.0 - 12.1.2 |13.0.0 |Medium |Linux kernel |
| | |12.1.2 HF1 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP Edge |11.2.1 |None |Medium |Linux kernel |
|Gateway |10.2.1 - 10.2.4 | | | |
+---------------+----------------+-----------------+----------+----------------+
| |11.4.0 - 11.6.1 |11.6.2 | | |
|BIG-IP GTM |11.2.1 |11.5.4 HF3 |Medium |Linux kernel |
| |10.2.1 - 10.2.4 | | | |
+---------------+----------------+-----------------+----------+----------------+
| |12.0.0 - 12.1.2 |13.0.0 | | |
|BIG-IP Link |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel |
|Controller |11.2.1 |11.6.2 | | |
| |10.2.1 - 10.2.4 |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
|BIG-IP PEM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel |
| |11.4.0 - 11.6.1 |11.6.2 | | |
| | |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP PSM |11.4.0 - 11.4.1 |None |Medium |Linux kernel |
| |10.2.1 - 10.2.4 | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP |11.2.1 |None |Medium |Linux kernel |
|WebAccelerator |10.2.1 - 10.2.4 | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP WOM |11.2.1 |None |Medium |Linux kernel |
| |10.2.1 - 10.2.4 | | | |
+---------------+----------------+-----------------+----------+----------------+
| |12.0.0 - 12.1.2 |13.0.0 | | |
|BIG-IP WebSafe |11.6.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel |
| | |11.6.2 | | |
+---------------+----------------+-----------------+----------+----------------+
|ARX |None |6.2.0 - 6.4.0 |Not |None |
| | | |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|Enterprise |3.1.1 |None |Medium |Linux kernel |
|Manager | | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud |4.0.0 - 4.5.0 |None |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Device |4.2.0 - 4.5.0 |None |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Security|4.0.0 - 4.5.0 |None |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ ADC |4.5.0 |None |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ |5.0.0 - 5.1.0 | | | |
|Centralized |4.6.0 |5.2.0 - 5.3.0 |Medium |Linux kernel |
|Management | | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud | | | | |
|and |1.0.0 |None |Medium |Linux kernel |
|Orchestration | | | | |
+---------------+----------------+-----------------+----------+----------------+
|F5 iWorkflow |2.0.0 - 2.0.2 |2.1.0 - 2.3.0 |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|LineRate |None |2.5.0 - 2.6.1 |Not |None |
| | | |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|Traffix SDC |5.0.0 |None |Low |Linux kernel |
| |4.0.0 - 4.4.0 | | | |
+---------------+----------------+-----------------+----------+----------------+
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.
To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
.
Mitigation
To mitigate this vulnerability, you should consider the following
recommendations:
o Permit management access to F5 products only over a secure network, and
limit shell access to only trusted users. For more information about
securing access to BIG-IP and Enterprise Manager systems, refer to K13309:
Restricting access to the Configuration utility by source IP address (11.x
- 13.x) and K13092: Overview of securing access to the BIG-IP system.
o Lock down management port access and configure the self IP port lockdown
feature to disallow unneeded ports on all self IP addresses. For more
information, refer to K13250: Overview of port lockdown behavior (10.x -
11.x) or K17333: Overview of port lockdown behavior (12.x - 13.x).
Supplemental Information
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
===============================================================================
K55672042: Linux kernel vulnerability CVE-2016-4470
Security Advisory
Original Publication Date: Oct 23, 2016
Updated Date: Nov 01, 2017
Applies to (see versions):
o Product: BIG-IQ, BIG-IQ Cloud, BIG-IQ Device, BIG-IQ Security, BIG-IQ ADC,
BIG-IQ Centralized Management
5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0,
4.0.0
o Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM,
BIG-IP ASM, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP GTM, BIG-IP Link
Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP PSM, BIG-IP WebAccelerator,
BIG-IP WOM
13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1, 10.2.4,
10.2.3, 10.2.2, 10.2.1
o Product: Enterprise Manager
3.1.1
o Product: F5 iWorkflow
2.3.0, 2.2.0, 2.1.0, 2.0.2, 2.0.1, 2.0.0
o Product: LineRate
2.6.1, 2.6.0, 2.5.2, 2.5.1, 2.5.0
o Product: ARX, ARX
6.4.0, 6.3.0, 6.2.0
o Product: F5 WebSafe
1.0.0
o Product: Traffix SDC
4.4.0, 4.1.0, 4.0.5, 4.0.2, 4.0.0
o Product: BIG-IQ Cloud and Orchestration
1.0.0
Security Advisory Description
The key_reject_and_link function in security/keys/key.c in the Linux kernel
through 4.6.3 does not ensure that a certain data structure is initialized,
which allows local users to cause a denial of service (system crash) via
vectors involving a crafted keyctl request2 command. (CVE-2016-4470)
Impact
This vulnerability allows disruption of service.
Security Advisory Status
F5 Product Development has assigned ID 623119 (BIG-IP), ID 623155 (BIG-IQ),
and ID 623156 (Enterprise Manager) to this vulnerability. Additionally, BIG-IP
iHealth may list Heuristic H624225 on the Diagnostics > Identified > Medium
screen.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
+---------------+----------------+-----------------+----------+----------------+
| |Versions known |Versions known to| |Vulnerable |
|Product |to be vulnerable|be not vulnerable|Severity |component or |
| | | | |feature |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 - 12.1.2 |12.1.2 HF1 | | |
|BIG-IP LTM |11.4.0 - 11.6.1 |11.6.2 |Medium |Linux kernel |
| |11.2.1 |11.5.4 HF3 | | |
| | |10.2.1 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
|BIG-IP AAM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel |
| |11.4.0 - 11.6.1 |11.6.2 | | |
| | |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
|BIG-IP AFM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel |
| |11.4.0 - 11.6.1 |11.6.2 | | |
| | |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
| |12.0.0 - 12.1.2 |13.0.0 | | |
|BIG-IP |11.4.0 - 11.6.1 |12.1.2 HF1 |Medium |Linux kernel |
|Analytics |11.2.1 |11.6.2 | | |
| | |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 - 12.1.2 |12.1.2 HF1 | | |
|BIG-IP APM |11.4.0 - 11.6.1 |11.6.2 |Medium |Linux kernel |
| |11.2.1 |11.5.4 HF3 | | |
| | |10.2.1 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 - 12.1.2 |12.1.2 HF1 | | |
|BIG-IP ASM |11.4.0 - 11.6.1 |11.6.2 |Medium |Linux kernel |
| |11.2.1 |11.5.4 HF3 | | |
| | |10.2.1 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP DNS |12.0.0 - 12.1.2 |13.0.0 |Medium |Linux kernel |
| | |12.1.2 HF1 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP Edge |11.2.1 |10.2.1 - 10.2.4 |Medium |Linux kernel |
|Gateway | | | | |
+---------------+----------------+-----------------+----------+----------------+
| |11.4.0 - 11.6.1 |11.6.2 | | |
|BIG-IP GTM |11.2.1 |11.5.4 HF3 |Medium |Linux kernel |
| | |10.2.1 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
|BIG-IP Link |12.0.0 - 12.1.2 |12.1.2 HF1 | | |
|Controller |11.4.0 - 11.6.1 |11.6.2 |Medium |Linux kernel |
| |11.2.1 |11.5.4 HF3 | | |
| | |10.2.1 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
|BIG-IP PEM |12.0.0 - 12.1.2 |12.1.2 HF1 |Medium |Linux kernel |
| |11.4.0 - 11.6.1 |11.6.2 | | |
| | |11.5.4 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP PSM |11.4.0 - 11.4.1 |10.2.1 - 10.2.4 |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP |11.2.1 |10.2.1 - 10.2.4 |Medium |Linux kernel |
|WebAccelerator | | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP WOM |11.2.1 |10.2.1 - 10.2.4 |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
| |12.0.0 - 12.1.2 |13.0.0 |Not | |
|BIG-IP WebSafe |11.6.0 - 11.6.1 |12.1.2 HF1 |vulnerable|None |
| | |11.6.2 | | |
+---------------+----------------+-----------------+----------+----------------+
|ARX |None |6.2.0 - 6.4.0 |Not |None |
| | | |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|Enterprise |3.1.1 |None |Medium |Linux kernel |
|Manager | | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud |4.0.0 - 4.5.0 |None |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Device |4.2.0 - 4.5.0 |None |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Security|4.0.0 - 4.5.0 |None |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ ADC |4.5.0 |None |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ |5.0.0 - 5.1.0 | | | |
|Centralized |4.6.0 |5.2.0 - 5.3.0 |Medium |Linux kernel |
|Management | | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud | | | | |
|and |1.0.0 |None |Medium |Linux kernel |
|Orchestration | | | | |
+---------------+----------------+-----------------+----------+----------------+
|F5 iWorkflow |2.0.0 - 2.0.2 |2.1.0 - 2.3.0 |Medium |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|LineRate |None |2.5.0 - 2.6.1 |Not |None |
| | | |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|Traffix SDC |5.0.0 |None |Low |Linux kernel |
| |4.0.0 - 4.4.0 | | | |
+---------------+----------------+-----------------+----------+----------------+
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.
To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
.
Mitigation
None
Supplemental Information
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K167: Downloading software and firmware from F5
o K13123: Managing BIG-IP product hotfixes (11.x - 13.x)
o K9502: BIG-IP hotfix matrix
o K15106: Managing BIG-IQ product hotfixes
o K15113: BIG-IQ hotfix matrix
o K10942: Installing OPSWAT hotfixes on BIG-IP APM systems
===============================================================================
K94105604: Linux kernel vulnerability CVE-2015-7872
Security Advisory
Original Publication Date: Jan 14, 2016
Updated Date: Nov 01, 2017
Applies to (see versions):
o Product: BIG-IQ
5.X.X, 4.X.X
o Product: BIG-IP
13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.3.0, 11.2.1,
11.2.0, 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0
o Product: Enterprise Manager
3.X.X
o Product: F5 iWorkflow
2.X.X
o Product: LineRate
2.X.X
o Product: ARX, ARX
6.4.0, 6.3.0, 6.2.0
o Product: FirePass
7.X.X
o Product: F5 WebSafe
1.X.X
o Product: Traffix SDC
4.X.X
o Product: BIG-IQ Cloud and Orchestration
1.X.X
Security Advisory Description
The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel
through 4.2.6 allows local users to cause a denial of service (OOPS) via
crafted keyctl commands. (CVE-2015-7872)
Impact
A local user may be able to cause a denial-of-service (DoS) attack on the
system by using specially crafted keyctl commands.
Security Advisory Status
F5 Product Development has assigned ID 563154 (BIG-IP), ID 565221 (BIG-IQ), ID
565223 (Enterprise Manager), and INSTALLER-2102 (Traffix SDC) to this
vulnerability, and has evaluated the currently supported releases for potential
vulnerability. Additionally, BIG-IP iHealth may list Heuristic H94105604 on the
Diagnostics > Identified > High screen.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
+---------------+----------------+-----------------+----------+----------------+
| |Versions known |Versions known to| |Vulnerable |
|Product |to be vulnerable|be not vulnerable|Severity |component or |
| | | | |feature |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| | |12.1.0 - 12.1.2 | | |
| |12.0.0 |12.0.0 HF3 | | |
|BIG-IP LTM |11.6.0 - 11.6.1 |11.6.2 |High |Linux kernel |
| |11.1.0 - 11.5.4 |11.5.5 | | |
| | |11.0.0 | | |
| | |10.1.0 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 |12.1.0 - 12.1.2 | | |
|BIG-IP AAM |11.6.0 - 11.6.1 |12.0.0 HF3 |High |Linux kernel |
| |11.4.0 - 11.5.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 |12.1.0 - 12.1.2 | | |
|BIG-IP AFM |11.6.0 - 11.6.1 |12.0.0 HF3 |High |Linux kernel |
| |11.3.0 - 11.5.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 |12.1.0 - 12.1.2 | | |
|BIG-IP |11.6.0 - 11.6.1 |12.0.0 HF3 |High |Linux kernel |
|Analytics |11.1.0 - 11.5.4 |11.6.2 | | |
| | |11.5.5 | | |
| | |11.0.0 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| | |12.1.0 - 12.1.2 | | |
| |12.0.0 |12.0.0 HF3 | | |
|BIG-IP APM |11.6.0 - 11.6.1 |11.6.2 |High |Linux kernel |
| |11.1.0 - 11.5.4 |11.5.5 | | |
| | |11.0.0 | | |
| | |10.1.0 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| | |12.1.0 - 12.1.2 | | |
| |12.0.0 |12.0.0 HF3 | | |
|BIG-IP ASM |11.6.0 - 11.6.1 |11.6.2 |High |Linux kernel |
| |11.1.0 - 11.5.4 |11.5.5 | | |
| | |11.0.0 | | |
| | |10.1.0 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
|BIG-IP DNS |12.0.0 |12.1.0 - 12.1.2 |High |Linux kernel |
| | |12.0.0 HF3 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP Edge |11.1.0 - 11.3.0 |11.0.0 |High |Linux kernel |
|Gateway | |10.1.0 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |11.6.2 | | |
|BIG-IP GTM |11.6.0 - 11.6.1 |11.5.5 |High |Linux kernel |
| |11.1.0 - 11.5.4 |11.0.0 | | |
| | |10.1.0 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| | |12.1.0 - 12.1.2 | | |
|BIG-IP Link |12.0.0 |12.0.0 HF3 | | |
|Controller |11.6.0 - 11.6.1 |11.6.2 |High |Linux kernel |
| |11.1.0 - 11.5.4 |11.5.5 | | |
| | |11.0.0 | | |
| | |10.1.0 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
| | |13.0.0 | | |
| |12.0.0 |12.1.0 - 12.1.2 | | |
|BIG-IP PEM |11.6.0 - 11.6.1 |12.0.0 HF3 |High |Linux kernel |
| |11.3.0 - 11.5.4 |11.6.2 | | |
| | |11.5.5 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP PSM |11.1.0 - 11.4.1 |11.0.0 |High |Linux kernel |
| | |10.1.0 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP |11.1.0 - 11.3.0 |11.0.0 |High |Linux kernel |
|WebAccelerator | |10.1.0 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IP WOM |11.1.0 - 11.3.0 |11.0.0 |High |Linux kernel |
| | |10.1.0 - 10.2.4 | | |
+---------------+----------------+-----------------+----------+----------------+
|ARX |None |6.0.0 - 6.4.0 |Not |None |
| | | |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|Enterprise |3.0.0 - 3.1.1 |None |High |Linux kernel |
|Manager | | | | |
+---------------+----------------+-----------------+----------+----------------+
|FirePass |None |7.0.0 |Not |None |
| | |6.0.0 - 6.1.0 |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud |4.0.0 - 4.5.0 |None |High |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Device |4.2.0 - 4.5.0 |None |High |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Security|4.0.0 - 4.5.0 |None |High |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ ADC |4.5.0 |None |High |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ |5.0.0 - 5.1.0 | | | |
|Centralized |4.6.0 |5.2.0 - 5.3.0 |High |Linux kernel |
|Management | | | | |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud | | | | |
|and |1.0.0 |None |High |Linux kernel |
|Orchestration | | | | |
+---------------+----------------+-----------------+----------+----------------+
|F5 iWorkflow |2.0.0 - 2.1.0 |2.2.0 - 2.3.0 |High |Linux kernel |
+---------------+----------------+-----------------+----------+----------------+
|LineRate |None |2.5.0 - 2.6.1 |Not |None |
| | | |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|F5 WebSafe |None |1.0.0 |Not |None |
| | | |vulnerable| |
+---------------+----------------+-----------------+----------+----------------+
|Traffix SDC |4.0.0 - 4.4.0 |None |Low |Linux kernel |
| |3.3.2 - 3.5.1 | | | |
+---------------+----------------+-----------------+----------+----------------+
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.
To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
.
Mitigation
To mitigate this vulnerability, you can limit access to the Linux shell to
trusted users only.
Supplemental Information
o K9970: Subscribing to email notifications regarding F5 products
o K4602: Overview of the F5 security vulnerability response policy
o K9957: Creating a custom RSS feed to view new and updated documents
o K4918: Overview of the F5 critical issue hotfix policy
o K167: Downloading software and firmware from F5
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWfq0wIx+lLeg9Ub1AQj7Pg//YEEWG1lSgc0kAisoMCWqMnPnbSoyI1hE
sjFa8PJhW2XTXhmdjKOHRvIc9Ev8K3HbRUpJ1GcmIBW72h60cjGyx9jo/9iPVWNQ
4AFpw7I9biGDPgbHOOlqE+1XJ/hQ8UADuN2ZDnXOnHwwbNGTeWMn0arCqk9vjg7g
g11TeEAweDoRYcj4PSPAg3V8OOG/si8c/y4PVuSSXobyCW4oFHok7KU4BRoD7WYX
efePle9P0zQi2OWG/ctZT3JdZBfPOXL5MPPfIdxVvY3SIwT1Ihq/05yFiyEWhljp
a6xwJFAxPN+zB32dHRgPlvritZknzYteAq0yMNhuJN7iD3UCvTXd2IAnF1Qn55S+
Pxyn65W59Ft0/h9jbUs47S+4tnRC6e1D1C2T/bfGUzmWfDSA3c7IaPKWNHylJO3W
UEfGme+pCZkVH3vhqu3VVbZHlrmIJHdpxzJ9juHMS3WYaQBKE9ghh2yacPSIU40W
cIb+HsKG1q/dLg51oPu4SKkztA/24RREr0etiGvZOvMta3wwuSOhnDCzG4iXHOXr
1B5ktI3/XE3i0U2pVOggN/kGJPu5dRjrZYJxY0ZQohlcAgpG5nQJqQMd5RDI7abF
u9oPnz54tKteb+ajcnjOGkrxDP/il9z4no3iN2PMUyw4hugkWWCov6+17UT4uPIt
nTee2oSn09M=
=q/4z
-----END PGP SIGNATURE-----