Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0872.2
Advanced WAF/ASM - Multple Vulnerabilities
15 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP Products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Root Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Create Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23001 CVE-2021-22993 CVE-2021-22992
CVE-2021-22990 CVE-2021-22989 CVE-2021-22988
CVE-2021-22987 CVE-2021-22986
Original Bulletin:
https://support.f5.com/csp/article/K45056101
https://support.f5.com/csp/article/K52510511
https://support.f5.com/csp/article/K55237223
https://support.f5.com/csp/article/K06440657
Comment: This bulletin contains four (4) F5 Networks security advisories.
Revision History: March 15 2021: Added multiple BIG-IP Products for K52510511
March 11 2021: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K45056101: Advanced WAF/ASM TMUI authenticated remote command execution
vulnerability CVE-2021-22990
Original Publication Date: 11 Mar, 2021
Security Advisory Description
On systems with Advanced WAF or BIG-IP ASM provisioned, the Traffic Management
User Interface (TMUI), also referred to as the Configuration utility, has an
authenticated remote command execution vulnerability in undisclosed pages. (
CVE-2021-22990)
Note: For systems running in Appliance mode, refer to K56142644 Appliance Mode
Advanced WAF/ASM TMUI authenticated remote command execution vulnerability
CVE-2021-22989.
Impact
This vulnerability allows highly privileged authenticated users with the roles
Administrator, Resource Administrator, or Application Security Administrator
with network access to the Configuration utility, through the BIG-IP management
port or self IP addresses, to execute arbitrary system commands, create and
delete files, or disable services. This vulnerability can only be exploited
through the control plane and cannot be exploited through the data plane.
Exploitation can lead to complete system compromise.
Note: If you believe your system may have been compromised, refer to K11438344:
Considerations and guidance when you suspect a security compromise on a BIG-IP
system.
Security Advisory Status
F5 Product Development has assigned ID 953729 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
+-------------+------+-------------+----------+----------+------+-------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to be |introduced|Severity |score^|component or |
| | |vulnerable |in | |1 |feature |
+-------------+------+-------------+----------+----------+------+-------------+
| |16.x |16.0.0 - |16.0.1.1 | | | |
| | |16.0.1 | | | | |
| +------+-------------+----------+ | | |
| |15.x |15.1.0 - |15.1.2.1 | | | |
| | |15.1.2 | | | | |
| +------+-------------+----------+ | | |
| |14.x |14.1.0 - |14.1.4 | | | |
|BIG-IP | |14.1.3 | | | |TMUI/ |
|(Advanced WAF+------+-------------+----------+Medium |6.6 |Configuration|
|and ASM) |13.x |13.1.0 - |13.1.3.6 | | |utility |
| | |13.1.3 | | | | |
| +------+-------------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.3 | | | |
| | |12.1.5 | | | | |
| +------+-------------+----------+ | | |
| |11.x |11.6.1 - |11.6.5.3 | | | |
| | |11.6.5 | | | | |
+-------------+------+-------------+----------+----------+------+-------------+
| |8.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IQ +------+-------------+----------+ | | |
|Centralized |7.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+-------------+----------+ | | |
| |6.x |None |Not | | | |
| | | |applicable| | | |
+-------------+------+-------------+----------+----------+------+-------------+
|F5OS |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------+------+-------------+----------+----------+------+-------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------+------+-------------+----------+----------+------+-------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the table does not list a fixed version for
your software branch, then no update candidate currently exists for that branch
and F5 recommends upgrading to a version with the fix (refer to the table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix. Refer to
K51812227: Understanding security advisory versioning.
If you are using public cloud marketplaces (AWS, Azure, GCP, or Alibaba) to
deploy BIG-IP Virtual Edition (VE), F5 recommends that you install the latest
releases of BIG-IP versions listed in the Fixes introduced in column, subject
to their availability on those marketplaces. For more information, refer to the
following articles:
o BIG-IP VE Supported Platforms
o K84205182: BIG-IP upgrade guide | Chapter 1: Guide contents
Mitigation
As this attack is conducted by legitimate, authenticated users, there is no
viable mitigation while still allowing the user access to the Configuration
utility. The only mitigation is to remove access for any users who are not
completely trusted.
Until it is possible to install a fixed version, you can use the following
sections as temporary mitigations. These mitigations restrict access to the
Configuration utility to only trusted networks or devices, thereby limiting the
attack surface.
o Block Configuration utility access through self IP addresses
o Block Configuration utility access through the management interface
Block Configuration utility access through self IP addresses
You can block all access to the Configuration utility of your BIG-IP system
using self IP addresses. To do so, you can change the Port Lockdown setting to
Allow None for each self IP address on the system. If you must open any ports,
you should use the Allow Custom option, taking care to disallow access to the
Configuration utility. By default, the Configuration utility listens on TCP
port 443. Alternatively, you can configure a custom port.
Note: Performing this action prevents all access to the Configuration utility
and iControl REST using the self IP address. These changes may also impact
other services, including breaking high availability (HA) configurations.
Before you make changes to the configuration of your self-IP addresses, F5
strongly recommends that you refer to the following articles:
o K17333: Overview of port lockdown behavior (12.x - 16.x)
o K13092: Overview of securing access to the BIG-IP system
o K31003634: The Configuration utility of the Single-NIC BIG-IP Virtual
Edition now defaults to TCP port 8443
o K51358480: The single-NIC BIG-IP VE may erroneously revert to the default
management httpd port after a configuration reload
Block Configuration utility access through the management interface
To mitigate this vulnerability for affected F5 products, you should restrict
management access only to trusted users and devices to F5 products over a
secure network. For more information about securing access to BIG-IP systems,
refer to the following articles:
o K13309: Restricting access to the Configuration utility by source IP
address (11.x - 16.x)
o K13092: Overview of securing access to the BIG-IP system
o K46122561: Restricting access to the management interface using network
firewall rules
Supplemental Information
o K02566623: Overview of F5 critical vulnerabilities (March 2021)
o K04532512: Frequently asked questions for CVE-2021-22986, CVE-2021-22987,
CVE-2021-22988, CVE-2021-22989, and CVE-2021-22990
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- ---------------------------------------------------------------------------------
K52510511: Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
Original Publication Date: 11 Mar, 2021
Latest Publication Date: 13 Mar, 2021
Security Advisory Description
A malicious HTTP response to an Advanced WAF/ASM virtual server with Login Page
configured in its policy may trigger a buffer overflow, resulting in a DoS
attack. In certain situations, it may allow remote code execution (RCE),
leading to complete system compromise. (CVE-2021-22992)
Impact
A sophisticated attacker must have control over the back-end web servers (pool
members) or the ability to manipulate the server-side HTTP responses to the
virtual server to exploit this vulnerability. With this level of back-end
control, the attacker may cause the BIG-IP Advanced WAF/ASM system to
experience a denial-of-service (DoS). In the worst case, the attacker may
execute arbitrary code on the BIG-IP Advanced WAF/ASM system. This
vulnerability can only be exploited through the data plane and cannot be
exploited through the control plane. Exploitation can lead to complete system
compromise.
Note: If you believe your system may have been compromised, refer to K11438344:
Considerations and guidance when you suspect a security compromise on a BIG-IP
system.
Security Advisory Status
F5 Product Development has assigned ID 975233 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |16.x |16.0.0 - |16.0.1.1 | | | |
| | |16.0.1 | | | | |
| +------+----------+----------+ | | |
| |15.x |15.1.0 - |15.1.2.1 | | | |
| | |15.1.2 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.4 | | | |
|BIG-IP (Advanced | |14.1.3 | | | |ASM |
|WAF and ASM) +------+----------+----------+Critical |9.0 |virtual |
| |13.x |13.1.0 - |13.1.3.6 | | |server |
| | |13.1.3 | | | | |
| +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.3* | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |11.6.5.3 | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |16.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |15.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IP (LTM, AAM, +------+----------+----------+ | | |
|AFM, Analytics, |14.x |None |Not | | | |
|APM, DDHD, DNS, | | |applicable|Not | | |
|FPS, GTM, Link +------+----------+----------+vulnerable|None |None |
|Controller, PEM, |13.x |None |Not | | | |
|SSLO) | | |applicable| | | |
| +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |8.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |7.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |6.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|F5OS |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
*An issue with the bigd process has been discovered in version 12.1.5.3. For
more information, refer to K50524736: Bigd process memory leak after updating
to BIG-IP 12.1.5.3.
The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the table does not list a fixed version for
your software branch, then no update candidate currently exists for that branch
and F5 recommends upgrading to a version with the fix (refer to the table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix. Refer to
K51812227: Understanding security advisory versioning.
If you are using public cloud marketplaces (AWS, Azure, GCP, or Alibaba) to
deploy BIG-IP Virtual Edition (VE), F5 recommends that you install the latest
releases of BIG-IP versions listed in the Fixes introduced in column, subject
to their availability on those marketplaces. For more information, refer to the
following articles:
o BIG-IP VE Supported Platforms
o K84205182: BIG-IP upgrade guide | Chapter 1: Guide contents
Mitigation
o Mitigate malicious connections using an iRule
o Modify Login Page configuration
o Harden pool members
o Remove Login Pages
Mitigate malicious connections using an iRule
To mitigate this vulnerability, you can associate the following iRule with the
affected virtual servers. The iRule examines the response from the server and
returns a 502 error for vulnerable responses. To use the iRule mitigation,
perform the following procedure:
Impact of workaround: The following mitigation may add additional resource load
on the system, depending on the specific environment. F5 recommends that you
test any such changes during a maintenance window and consider the possible
impact on your environment.
1. Log in to the Configuration utility.
2. Go to Local Traffic > iRules > iRule List.
3. Select Create.
4. Enter a name for the iRule.
5. For Definition, add the following iRule code:
# Mitigation for K52510511: Advanced WAF/ASM Buffer Overflow vulnerability
CVE-2021-22992
when RULE_INIT {
# Set static::debug 1 to enable debug logging.
set static::debug 0
set static::max_length 4000
}
when HTTP_REQUEST {
if {$static::debug}{
set LogString "Client [IP::client_addr]:[TCP::client_port] ->
[HTTP::host][HTTP::uri]"
}
set uri [string tolower [HTTP::uri]]
}
when HTTP_RESPONSE {
set header_names [HTTP::header names]
set combined_header_name [join $header_names ""]
set combined_header_name_len [string length $combined_header_name]
if {$static::debug}{
log local0. "=================response======================"
log local0. "$LogString (response)"
log local0. "combined header names: $combined_header_name"
foreach aHeader [HTTP::header names] {
log local0. "$aHeader: [HTTP::header value $aHeader]"
}
log local0. "the length of the combined response header names:
$combined_header_name_len"
log local0. "============================================="
}
if { ( $combined_header_name_len > $static::max_length ) } {
log local0. "In the response of '$uri', the length of the combined
header names $combined_header_name_len exceeds the maximum value
$static::max_length. See K52510511: Advanced WAF/ASM Buffer Overflow
vulnerability CVE-2021-22992"
HTTP::respond 502 content "<HTML><HEAD><TITLE>Bad Gateway</TITLE></HEAD>
<BODY><P>The server response is invalid. Please inform the administrator.
Error: K52510511</P></BODY></HTML>"
}
}
6. Select Finished.
7. Associate the iRule with the affected virtual servers.
Modify Login Page configuration
To mitigate this vulnerability, you may remove the configuration of both of the
following settings from the Login Page configuration:
o Expected validation header name and value
o Not expected validation header name and value
To do so, perform the following procedure:
1. Log in to the Configuration utility of the affected BIG-IP Advanced WAF/ASM
system.
2. Go to Security > Application Security > Sessions and Logins > Login Pages
List.
3. Select the security policy from the Current edited policy list.
4. Select the name of the Login URL from the Login Pages List.
5. Remove all configuration from both the settings.
6. Select Save to save the changes.
7. Select Apply Policy to apply the changes.
8. Select OK to confirm the operation.
These two settings should remain empty until the affected BIG-IP Advanced WAF/
ASM system is updated to a version listed in the Fixes introduced in column.
Important: You may need to configure alternative Login Page access validation
criteria to continue using the Login Page without these set.
Harden pool members
To mitigate this vulnerability, you can harden your back-end web servers and
network to prevent the malicious headers in the HTTP response to the login page
from being sent to the BIG-IP Advanced WAF/ASM system. Other attacks against
the server, such as CRLF Injection or HTTP Response Splitting, may also be used
to manipulate the HTTP response. Use of HTTP protocol compliance can protect
against these attacks, refer to K10280: Overview of BIG-IP ASM HTTP protocol
compliance.
Remove Login Pages
Alternatively, you can delete any Login Page configured for a security policy
and avoid using the Login Page feature until the affected BIG-IP Advanced WAF/
ASM system is upgraded to a version listed in the Fixes introduced in column.
To delete a login page, perform the following procedure:
1. Login to the Configuration utility of the affected BIG-IP ASM system.
2. Go to Security > Application Security > Sessions and Logins > Login Pages
List.
3. Select the security policy from the Current edited policy list.
4. Select the login page configuration you want to remove.
5. Select Delete.
6. Select OK to confirm the deletion.
7. Select Apply Policy to apply the changes.
8. Select OK to confirm the operation.
Important: Login Page configuration may be critical to the function of the
Brute Force Attack Prevention, Login Enforcement, and Session Tracking
functions in a security policy. Review your security policy to see if any of
these functions require the Login Page configuration before deleting it.
Acknowledgements
F5 acknowledges Felix Wilhelm of Google Project Zero for bringing this issue to
our attention and following the highest standards of coordinated disclosure.
Supplemental Information
o K02566623: Overview of F5 critical vulnerabilities (March 2021)
o K50963210: Frequently asked questions for CVE-2021-22992
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K15106: Managing BIG-IQ product hotfixes
o K15113: BIG-IQ hotfix and point release matrix
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- -------------------------------------------------------------------------------
K55237223: BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993
Original Publication Date: 11 Mar, 2021
Security Advisory Description
DOM-based XSS on DoS Profile properties page. (CVE-2021-22993)
Impact
An attacker can inject a malicious script into the BIG-IP Advanced WAF and ASM
Configuration utility and trick users into executing malicious code.
Security Advisory Status
F5 Product Development has assigned ID 941449 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |16.x |16.0.0 - |16.0.1.1 | | | |
| | |16.0.1 | | | | |
| +------+----------+----------+ | | |
| |15.x |15.1.0 - |15.1.2 | | | |
| | |15.1.1 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.3.1 | | |BIG-IP ASM|
|BIG-IP (Advanced | |14.1.3 | | | |DoS |
|WAF, ASM) +------+----------+----------+High |7.5 |Profile |
| |13.x |13.1.0 - |13.1.3.6 | | |properties|
| | |13.1.3 | | | |page |
| +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.3 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |16.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |15.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IP (LTM, AAM, +------+----------+----------+ | | |
|AFM, Analytics, |14.x |None |Not | | | |
|APM, DDHD, DNS, | | |applicable|Not | | |
|FPS, GTM, Link +------+----------+----------+vulnerable|None |None |
|Controller, PEM, |13.x |None |Not | | | |
|SSLO) | | |applicable| | | |
| +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |8.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |7.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |6.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, secure access to the BIG-IP Advanced WAF and
ASM systems to ensure that the Configuration utility is accessible only by
trusted users. To do so, refer to K13092: Overview of securing access to the
BIG-IP system.
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- ----------------------------------------------------------------------------------
K06440657: BIG-IP ASM iControl REST vulnerability CVE-2021-23001
Original Publication Date: 11 Mar, 2021
Security Advisory Description
The upload functionality in BIG-IP ASM allows an authenticated user to upload
files to the BIG-IP system using a call to an undisclosed iControl REST
endpoint. (CVE-2021-23001)
Impact
An unauthenticated malicious user can upload malicious files to use in future
attacks, or simply upload large files to fill the BIG-IP system's disk space.
Security Advisory Status
F5 Product Development has assigned ID 935401 (BIG-IP) and to this
vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |16.x |16.0.0 - |16.0.1.1 | | | |
| | |16.0.1 | | | | |
| +------+----------+----------+ | | |
| |15.x |15.0.0 - |15.1.2.1 | | | |
| | |15.1.0 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.4 | | |BIG-IP ASM|
| | |14.1.2 | | | |file |
|BIG-IP (ASM) +------+----------+----------+Medium |4.3 |transfer |
| |13.x |13.1.0 - |13.1.3.6 | | |worker |
| | |13.1.3 | | | | |
| +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.3 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |11.6.5.3 | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |16.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |15.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IP (LTM, AAM, +------+----------+----------+ | | |
|Advanced WAF, AFM, |14.x |None |Not | | | |
|Analytics, APM, | | |applicable|Not | | |
|DDHD, DNS, FPS, +------+----------+----------+vulnerable|None |None |
|GTM, Link |13.x |None |Not | | | |
|Controller, PEM, | | |applicable| | | |
|SSLO) +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |8.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |7.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |6.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYE7o1+NLKJtyKPYoAQhu/Q//eTIxpCaeyb+iPEX4GE93NodmplY8S/R2
1Ftag5Pe//xMxAnD8t+4qAeAQGZtR0gXDq1t2+l+rkQHHZdY6ev6XFLOEBF2B9QU
wSzhmNFvky/nacdtYDKJ2z49m8HW0OyfakidrsCzhX+6eYPGgoGajJyLwt9tg5aX
fdaHgM07e+5VfeCYBT7Clng5Oqy/z0oFHCfKQU6hj8vDGCZVBb2AAYDhUpRSIU6y
4bMktjNO3rrjXknftqvafYCAsdRkkCHV1uz82MlBz0q9MWzbtq3kJlpwCA3A7DmM
Wm5gQcm+0LOWmnq+WAUzukmKajxAGwZFNyVGgNeZgbnUoK9nO4rSE6peNzKF+uZg
sJCs3FQ8qRg69wDQDJBTbkQZKlhQdXpyh8CfB5QILpfKKpBBNjBzYFhQq5undFM7
uV3tmWezcpsxMrs+gql15Eam3exKIrgBb9amoJDyt8+TtxIVb5WGRc00J0c0YujR
1NxyXgjLZZu9DcEwyyfxYvKy3NisOTtAWj9ucBsIBf5L5wFwFe3QNjqopfj7ihow
P4yRegAjhj1HLyClIOJhPwTwvI5t3de6fmBi3cXGYkuIaG8t6Uwop7lL9UIiHHbj
N7SH/V+m8BsNgue66E22KT1UluKWyj3AYccy3zWvxJCGAEuCaTEhcBHvlOuaaaCp
U29BqcYAB4U=
=/1Wp
-----END PGP SIGNATURE-----