-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1551.6
Vulnerabilities in multiple F5 BIG-IP Products
15 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 BIG-IP Products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Create Arbitrary Files -- Unknown/Unspecified
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-5891 CVE-2020-5890 CVE-2020-5889
CVE-2020-5888 CVE-2020-5887 CVE-2020-5886
CVE-2020-5885 CVE-2020-5884 CVE-2020-5883
CVE-2020-5881 CVE-2020-5880 CVE-2020-5879
CVE-2020-5877 CVE-2020-5876 CVE-2020-5875
CVE-2020-5874 CVE-2020-5872
Original Bulletin:
https://support.f5.com/csp/article/K46901953
https://support.f5.com/csp/article/K10251014
https://support.f5.com/csp/article/K12234501
https://support.f5.com/csp/article/K88474783
https://support.f5.com/csp/article/K58494243
https://support.f5.com/csp/article/K17663061
https://support.f5.com/csp/article/K63558580
https://support.f5.com/csp/article/K32121038
https://support.f5.com/csp/article/K33572148
https://support.f5.com/csp/article/K10701310
https://support.f5.com/csp/article/K43404365
https://support.f5.com/csp/article/K25165813
https://support.f5.com/csp/article/K72540690
https://support.f5.com/csp/article/K03318649
https://support.f5.com/csp/article/K03386032
https://support.f5.com/csp/article/K72423000
https://support.f5.com/csp/article/K65720640
https://support.f5.com/csp/article/K73274382
https://support.f5.com/csp/article/K54200228
https://support.f5.com/csp/article/K94325657
https://support.f5.com/csp/article/K65372933
https://support.f5.com/csp/article/K24415506
Revision History: September 15 2020: Vendor updated K10701310 adding important
information for conditions that trigger issues
in BIG-IP LTM
July 2 2020: Vendor released minor updates
June 19 2020: Vendor updated K88474783, K32121038 and K54200228
advisories
May 14 2020: Vendor released minor update
May 14 2020: Vendor released minor update
May 1 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K46901953:BIG-IP APM virtual server vulnerability CVE-2020-5874
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
In certain circumstances, an attacker sending specifically crafted requests to
a BIG-IP APM virtual server may cause a disruption of service provided by the
Traffic Management Microkernel(TMM). (CVE-2020-5874)
Impact
An attacker may be able to perform a denial-of-service (DoS) attack on a BIG-IP
system by causing the TMM process to restart.
The data plane is only impacted and exposed when the virtual server is
configured to use OpenID connect. The control plane is not impacted by this
vulnerability.
Security Advisory Status
F5 Product Development has assigned ID 794561 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+------------------+------+----------+----------+----------+------+-----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature |
| | |vulnerable| | | | |
+------------------+------+----------+----------+----------+------+-----------+
| |15.x |15.0.0 - |15.1.0 | | | |
| | |15.0.1 |15.0.1.3 | | | |
| +------+----------+----------+ | | |
| | |14.1.0 - | | | | |
| |14.x |14.1.2 |14.1.2.4 | | | |
| | |14.0.0 - |14.0.1.1 | | | |
| | |14.0.1 | | | |OpenID |
|BIG-IP APM +------+----------+----------+High |7.1 |Connect |
| |13.x |None |Not | | |Integration|
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+------------------+------+----------+----------+----------+------+-----------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IP (LTM, AAM, |14.x |None |Not | | | |
|AFM, Analytics, | | |applicable| | | |
|ASM, DNS, Edge +------+----------+----------+ | | |
|Gateway, FPS, GTM,|13.x |None |Not |Not |None |None |
|Link Controller, | | |applicable|vulnerable| | |
|PEM, +------+----------+----------+ | | |
|WebAccelerator) |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+------------------+------+----------+----------+----------+------+-----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized|6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+------------------+------+----------+----------+----------+------+-----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------------+------+----------+----------+----------+------+-----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
- --------------------------------------------------------------------------------
K54200228:BIG-IP iRules vulnerability CVE-2020-5877
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 02 Jul, 2020
Security Advisory Description
Malformed input to the DATAGRAM::tcp iRules command within a FLOW_INIT event
may lead to a denial of service. (CVE-2020-5877)
Impact
Remote attackers may be able to perform a denial-of-service (DoS) attack on the
BIG-IP system.
Security Advisory Status
F5 Product Development has assigned ID 830401 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| | |15.1.0 | | | | |
| |15.x |15.0.0 - |15.1.0.2 | | | |
| | |15.0.0 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.0.0 - |14.1.2.5 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |13.1.0 - |13.1.3.4 |High |7.5 |iRules |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.2 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |11.6.5.2 | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K12234501:BIG-IP virtual server vulnerability CVE-2020-5883
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
When a virtual server is configured with HTTP explicit proxy and has an
attached HTTP_PROXY_REQUEST iRule, POST requests sent to the virtual server
cause an xdata memory leak. (CVE-2020-5883)
Impact
The BIG-IP system may become vulnerable to conditions that result when it is
out of memory because of a memory leak.
Security Advisory Status
F5 Product Development has assigned ID 810537 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.
+---------------+------+----------+----------+----------+------+------------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to |introduced|Severity |score^|component or |
| | |be |in | |1 |feature |
| | |vulnerable| | | | |
+---------------+------+----------+----------+----------+------+------------------+
| |15.x |15.0.0 - |15.1.0 | | | |
| | |15.0.1 |15.0.1.1 | | | |
| +------+----------+----------+ | | |
| | |14.1.0 - | | | | |
|BIG-IP (AAM, |14.x |14.1.2 |14.1.2.4 | | | |
|AFM, APM, ASM, | |14.0.0 - |14.0.1.1 | | |HTTP Explicit |
|Edge Gateway, | |14.0.1 | | | |Proxy Virtual |
|FPS, LTM, Link +------+----------+----------+Medium |5.3 |Server with |
|Controller, |13.x |13.1.0 - |13.1.3.2 | | |HTTP_PROXY_REQUEST|
|PEM, | |13.1.3 | | | |iRule |
|WebAccelerator)+------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+---------------+------+----------+----------+----------+------+------------------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |14.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IP +------+----------+----------+ | | |
|(Analytics, |13.x |None |Not |Not |None |None |
|DNS, GTM) | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+---------------+------+----------+----------+----------+------+------------------+
| |6.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized +------+----------+----------+vulnerable|None |None |
|Management |5.x |None |Not | | | |
| | | |applicable| | | |
+---------------+------+----------+----------+----------+------+------------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+---------------+------+----------+----------+----------+------+------------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K88474783:BIG-IP DoS profile vulnerability CVE-2020-5879
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 18 Jun, 2020
Security Advisory Description
Under certain configurations, the BIG-IP system sends data plane traffic to
back-end servers unencrypted, even when a Server SSL profile is applied. (
CVE-2020-5879)
Impact
The affected system sends some requests to the back-end server without
encryption, possibly leaking sensitive data. The requests affected by this
vulnerability are processed by a virtual server associated with a DoS profile
that has a CAPTCHA challenge configured.
Security Advisory Status
F5 Product Development has assigned ID 513137 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |14.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | |BIG-IP DoS|
|BIG-IP (ASM) |13.x |None |Not |Medium |5.9 |profile |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |12.x |None |12.0.0 | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |11.6.5.2 | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |14.x |None |Not | | | |
|BIG-IP (LTM, AAM, | | |applicable| | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, DNS, FPS, GTM,|13.x |None |Not |Not |None |None |
|Link Controller, | | |applicable|vulnerable| | |
|PEM) +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o The Configuring CAPTCHA for DoS protection section under the Preventing DoS
Attacks on Applications chapter of the BIG-IP Application Security Manager:
Implementations guide.
Note: For information about how to locate F5 product guides, refer to
K12453464: Finding product documentation on AskF5.
- --------------------------------------------------------------------------------
K58494243:BIG-IP HTTP/2 vulnerability CVE-2020-5891
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
Undisclosed HTTP/2 requests can lead to a denial of service when sent to a
virtual server configured with the Fallback Host setting and a server-side HTTP
/2 profile. (CVE-2020-5891)
Impact
The Traffic Management Microkernel (TMM) may generate a core file and restart,
causing a traffic disruption or failover event. This vulnerability affects only
virtual servers with the Fallback Host setting configured and a server-side
HTTP/2 profile assigned.
Security Advisory Status
F5 Product Development has assigned ID 868097 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| | |15.1.0 |15.1.0.2 | | | |
| |15.x |15.0.0 - |15.0.1.3 | | | |
| | |15.0.1 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.2.4 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | |HTTP/2 |
|APM, ASM, FPS, Link|13.x |None |Not |Low |3.7 |profile |
|Controller, PEM) | | |applicable| | | |
| +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |14.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IP (GTM, DNS) |13.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you can remove the fallback host from the HTTP
profile on the client side. To do so, perform the following procedure:
Impact of action: The fallback host configuration option allows the BIG-IP
system to serve a 302 response to redirect clients to a specific website when
the pool associated with the virtual server is marked down. After you remove
the fallback host configuration option, the system does not serve any pages to
clients when the pool is unavailable.
1. Log in to the Configuration utility.
2. Go to Local Traffic > Profiles > Services > HTTP.
3. Select the HTTP profile associated with the virtual server.
4. In the Fallback Host box, delete all contents.
5. Select Update.
Note: Changes will take effect only for newly established connections.
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K17663061:BIG-IP SSL state mirroring vulnerability CVE-2020-5885
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 02 Jul, 2020
Security Advisory Description
BIG-IP systems set up for connection mirroring in a high availability (HA) pair
transfer sensitive cryptographic objects over an insecure communications
channel. This is a control plane issue which is exposed only on the network
used for connection mirroring. (CVE-2020-5885)
Impact
On-path attackers may be able to read and modify the keys used for EXPORT-based
cipher suites. Only HA pairs with session mirroring or connection mirroring
enabled are vulnerable.
Security Advisory Status
F5 Product Development has assigned ID 829117 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0.2 | | | |
| | |15.1.0 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.2.5 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |13.1.0 - |13.1.3.4 |Medium |4.8 |BIG-IP HA |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.2 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you can enable the statemirror.secure database
variable to protect the VLAN that you use for mirroring from untrusted
entities. To do so, perform one of the following procedures:
o Enabling the statemirror.secure database variable
o Protecting the VLAN that you use for mirroring from untrusted entities
Enabling the statemirror.secure database variable
Impact of action: Performing the following procedure should not have a negative
impact on your system.
1. Log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
2. To enable the statemirror.secure database variable, enter the following
command:
modify /sys db statemirror.secure value enable
Protecting the VLAN that you use for mirroring from untrusted entities
o To prevent on-path attackers from exploiting this vulnerability, you
can set up a direct connection between the BIG-IP HA systems.
o To reduce the risk of the vulnerability, you can protect the VLAN that you
use for mirroring from untrusted entities.
For more information, refer to the Mirroring recommendations section of
K14135: Defining network resources for BIG-IP HA features (11.x - 15.x) and
the Recommendations section of K84303332: Overview of connection and
persistence mirroring (13.x - 15.x).
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K63558580:BIG-IP crypto driver vulnerability CVE-2020-5872
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
When processing TLS traffic with hardware cryptographic acceleration enabled on
platforms with Intel QAT hardware, the Traffic Management Microkernel (TMM) may
stop responding and cause a failover event. (CVE-2020-5872)
Impact
Hardware cryptographic acceleration fails and TMM may stop responding, which
causes a failover event if the BIG-IP system is configured as part of a device
group. This vulnerability applies to the following platforms:
o i4600, i4800, YK i4000
o i5600, i5800, HRC-i5000, HRC-i5800, i5820-DF
o i7600, i7800, i7000-D, i7820-DF
o i10600, i10800, i10000-D, HRC-i10800
o i11600, i11800, i11000-DS, i11000-D
o i15600, i15800, i15000-N
o VIPRION B4400N blade
Security Advisory Status
F5 Product Development has assigned ID 762453 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.
+-----------------+------+----------+----------+----------+------+------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to |introduced|Severity |score^|component or|
| | |be |in | |1 |feature |
| | |vulnerable| | | | |
+-----------------+------+----------+----------+----------+------+------------+
| |15.x |None |15.0.0 | | | |
| +------+----------+----------+ | | |
| | |14.1.0 - | | | | |
| |14.x |14.1.2 |14.1.2.4 | | | |
| | |14.0.0 - |14.0.1.1 | | | |
|BIG-IP (LTM, AAM,| |14.0.1 | | | | |
|AFM, Analytics, +------+----------+----------+ | |SSL Profiles|
|APM, ASM, DNS, |13.x |13.1.0 - |13.1.3.2 |High |7.5 |- Hardware |
|FPS, GTM, Link | |13.1.3 | | | |acceleration|
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5 | | | |
| | |12.1.4 | | | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-----------------+------+----------+----------+----------+------+------------+
| |6.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized +------+----------+----------+vulnerable|None |None |
|Management |5.x |None |Not | | | |
| | | |applicable| | | |
+-----------------+------+----------+----------+----------+------+------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------------+------+----------+----------+----------+------+------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this issue, you can disable crypto hardware acceleration. To do so,
perform the following procedure:
Note: Disabling hardware-based crypto acceleration results in all crypto
actions processed in software, which may cause higher CPU and memory usage
based on traffic patterns.
Impact of workaround: The impact of the suggested workaround depends on the
specific environment. F5 recommends testing any such changes during a
maintenance window with consideration to the possible impact on your specific
environment.
1. Log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
2. Disable crypto hardware acceleration by entering the following command:
modify /sys db crypto.hwacceleration value disable
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K32121038:BIG-IP mcpd vulnerability CVE-2020-5876
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 18 Jun, 2020
Security Advisory Description
A race condition exists where mcpd and other processes may make unencrypted
connection attempts to a new configuration sync peer. The race condition can
occur when changing the ConfigSync IP address of a peer, adding a new peer, or
when the Traffic Management Microkernel (TMM) first starts up. (CVE-2020-5876)
Impact
The race condition gives a small window of opportunity for an attacker to
takeover the connection and spoof a trusted peer device to extract and/or
modify sensitive information on the system. This vulnerability is only present
when the BIG-IP system is configured as part of a ConfigSync high availability
(HA) device group.
Security Advisory Status
F5 Product Development has assigned ID 811849 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0 | | | |
| | |15.0.1 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.0.0 - |14.1.2.4^2| | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |13.1.0 - |None |High |8.1 |mcpd |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.1 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |11.6.5.2 | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
^2BIG-IP 14.1.2.4 is not a supported release; please use a later release. Refer
to K5903: BIG-IP software support policy.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K33572148:The BIG-IP ASM system may fail to mask a configured sensitive parameter in the
Referer header value
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
The BIG-IP ASM system may fail to mask a configured sensitive parameter in the
Referer header value.
This issue occurs when all of the following conditions are met:
o You configured a sensitive parameter located in Security > Application
Security > Parameters > Sensitive Parameters for a security policy.
o The virtual server associated with the security policy receives a request
containing the configured sensitive parameter in its query string.
Impact
The BIG-IP ASM system does not mask the configured sensitive parameter in a
redirected request, and the request exposes the value of the sensitive
parameter in the Referer HTTP header.
Symptoms
As a result of this issue, you may encounter the following symptom:
o When a client request with a configured sensitive parameter, for example,
param, is received:
/users/testuser/crsf/1.phpparam=asd
And the request is then redirected with the URI as part of the Referer
header, the value of the sensitive parameter, param, is unmasked:
GET /index.phpparam=123 HTTP/1.1
Connection: keep-alive
X-Forwarded-For: 192.168.5.1
Referer: http://192.168.198.27/users/testuser/crsf/1.phpparam=asd
Host: 192.168.198.27
User-Agent: Apache-HttpClient/4.2.6 (java 1.5)
Security Advisory Status
F5 Product Development has assigned ID 681010 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |None |None |
+------------------+-----------------+----------------------------------------+
|Point release/ |15.1.0.2 |K9502: BIG-IP hotfix and point release |
|hotfix |15.0.1.3 |matrix |
| |14.1.2.4 | |
+------------------+-----------------+----------------------------------------+
Security Advisory Recommended Actions
Workaround
There is no workaround prior to BIG-IP 14.0.0. To work around this issue in
BIG-IP 14.0.0 and later, you can enable the Mask Value in Logs setting for the
Referer HTTP header in the affected security policy. To do so, perform the
following procedure:
Impact of workaround: Enabling this setting masks the value of the Referer
header in all requests, as well as all logs, regardless of whether there is
sensitive information in it or not. Depending on your application environment,
this may have an impact, especially when troubleshooting application issues.
1. Log in to the Configuration utility.
2. Go to Security > Application Security > Headers > HTTP Headers.
3. For Currently edited policy, select the policy you want to modify.
4. For HTTP Headers, select referer.
5. For Mask Value in Logs, select the Enable check box.
6. Select Update.
7. Select Apply Policy.
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K52154401: Masking data in the BIG-IP ASM request log
- --------------------------------------------------------------------------------
K10701310:BIG-IP may not detect invalid Transfer-Encoding headers
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 15 Sep, 2020
Security Advisory Description
This issue occurs when the conditions are met based on the BIG-IP module
provisioned and the affected version listed in the following table.
+-------+------------------------------------------------------------+--------+
|Product|Conditions that trigger the issue |Affected|
|(s) | |versions|
+-------+------------------------------------------------------------+--------+
| |For versions prior to 15.1.0, the implementation for | |
| |enforcing RFC compliance for the HTTP protocol is not | |
| |per-profile, it is global for all HTTP profiles by enabling | |
| |the Tmm.HTTP.RFC.Enforcement system database variable. When | |
| |the database variable is enabled, the BIG-IP system is not | |
|BIG-IP |caught by the protocol compliance checks. |14.1.2.3|
|LTM | |12.1.5.1|
| |Important: If either HTTP PSM or ASM are configured on a | |
| |virtual server, the state of the tmm.http.rfc.enforcement | |
| |variable or the "Enforce RFC Compliance" check box (15.1.0+)| |
| |is ignored on that virtual server. Requests will be allowed | |
| |or blocked based on the configured ASM or PSM policy. | |
+-------+------------------------------------------------------------+--------+
|BIG-IP | | |
|AAM, |These products inherit HTTP features from BIG-IP LTM. |14.1.2.3|
|APM, | |12.1.5.1|
|PEM | | |
+-------+------------------------------------------------------------+--------+
| | |15.0.1 |
| | |15.0.0 |
|BIG-IP |The HTTP protocol security feature is configured and |14.1.2 |
|AFM |associated to a virtual server. |14.1.0 |
| | |13.1.x |
| | |12.1.x |
| | |11.6.x |
+-------+------------------------------------------------------------+--------+
Impact
BIG-IP LTM, AAM, APM, and PEM may not drop invalid traffic as expected.
BIG-IP AFM may not block or alarm invalid traffic as expected.
Symptoms
As a result of this issue, you may encounter the following symptom:
o Detection of invalid Transfer-Encoding headers may not work as expected.
Security Advisory Status
F5 Product Development has assigned ID 831325 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |15.1.0 |K2200: Most recent versions of F5 |
| | |software |
+------------------+-----------------+----------------------------------------+
|Point release/ |15.0.1.1 |K9502: BIG-IP hotfix and point release |
|hotfix |14.1.2.4^1 |matrix |
+------------------+-----------------+----------------------------------------+
^1BIG-IP 14.1.2.4 is not a supported release; please use a later release. Refer
to K5903: BIG-IP software support policy.
Security Advisory Recommended Actions
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K43404365:BIG-IP APM logs may contain random data after the APM session ID
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
The BIG-IP APM system may log random data after the APM session ID in the /var/
log/apm logs. An additional 24 bytes of random information may be logged after
the APM session ID. This issue occurs when the following condition is met:
o You use the ACCESS::log command in an iRule associated with the BIG-IP APM
virtual server.
For more information on the ACCESS::log command, refer to Clouddocs
Access::log.
Impact
The characters logged after the APM session ID may leak random information.
Symptoms
As a result of this issue, you may encounter the following symptom:
o You observe random information logged in the /var/log/apm file, after the
APM session ID, similar to the following example:
notice tmm[20234]: 0149ffff:5: /Common/example-VS:45e70a52 virtual=/Common/example-VS
Security Advisory Status
F5 Product Development has assigned ID 788593 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |15.1.0 |K2200: Most recent versions of F5 |
| | |software |
+------------------+-----------------+----------------------------------------+
|Point release/ |15.0.1.3 |K9502: BIG-IP hotfix and point release |
|hotfix |14.1.2.4 |matrix |
+------------------+-----------------+----------------------------------------+
Security Advisory Recommended Actions
Workaround
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K25165813:BIG-IP SSL connection Alert Timeout security exposure
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
The mitigation for K41515225: BIG-IP SSL connection security exposure may not
work in all conditions.
If after applying the workaround in K41515225: BIG-IP SSL connection security
exposure, setting the Alert Timeout to its minimum value of 1 second, you
continue to experience the same issue (spike in network throughput and increase
resource usage), it may be due to the issue described in this article. This is
most commonly seen in extremely high bandwidth networks, as the remote host can
send a large amount of data to the BIG-IP system within the 1 second minimum
value of the Alert Timeout.
This issue occurs when all of the following conditions are met:
o You configure a virtual server with Client SSL and Server SSL profiles.
o The virtual server proxies an SSL connection.
o One side of the SSL connection sends a FIN midstream to the BIG-IP system.
o You performed the workaround described in K41515225: BIG-IP SSL connection
security exposure and set the Alert Timeout value to its minimum value of 1
second.
Impact
The BIG-IP system is capable of receiving, acknowledging, and dropping traffic
at extremely high bandwidths, and since the connection is no longer
bandwidth-limited by the original client, you may observe a spike in throughput
between the peer and the BIG-IP system. It is possible, depending on the
peer-side network, that this spike in throughput can exhaust available network
bandwidth between the BIG-IP system and the peer, even when the Alert Timeout
is set at the minimum value of 1 second.
Symptoms
As a result of this issue, you may encounter one or more of the following
symptoms:
o You view increased network throughput between the peer and the BIG-IP
system.
o Connections on the peer system remain open indefinitely until the remote
host completes transmitting data to the BIG-IP system.
Security Advisory Status
F5 Product Development has assigned ID 750278 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+------------------+---------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+------------------+---------------------------------------+
|Release |15.1.0^1 |K2200: Most recent versions of F5 |
| |15.0.1.3^1 |software |
+------------------+------------------+---------------------------------------+
|Point release/ |None |None |
|hotfix | | |
+------------------+------------------+---------------------------------------+
^1In this fix, after you upgrade to a software version listed in the Fixes
Introduced In column, the SSL Alert Timeout option now supports the Immediate
value, which makes the BIG-IP system reset both client and server side flows
after 1/1000 second. You need to configure your Server SSL profile and set the
SSL Alert Timeout to Immediate.
Security Advisory Recommended Actions
Workaround
There is no workaround for this issue. You need to upgrade your BIG-IP system
to a software version listed in the Fixes Introduced In column and configure
the SSL Alert Timeout setting to Immediate, which makes the BIG-IP system reset
both client and server side flows after 1/1000 second. Reducing the Alert
Timeout value will directly affect the amount of data transferred after the
original FIN is received. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a
negative impact on your system.
1. Log in to the Configuration utility.
2. Go to Local Traffic > Profiles > SSL > Server SSL.
3. Select the name of the profile associated with the virtual server.
4. Next to Configuration, select Advanced.
5. For Alert Timeout, select Immediate.
6. Click Update.
New SSL connections to the virtual server will use the new setting.
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K72540690:BIG-IP high availability state mirroring vulnerability CVE-2020-5884
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
The default deployment mode for BIG-IP high availability (HA) pair mirroring is
insecure. This is a control plane issue that is exposed only on the network
used for mirroring. (CVE-2020-5884)
Impact
On-path attackers may be able to read and modify data in transit. Depending on
the deployment, this may include state mirroring messages, client connection
details, client data packets, and/or client persistence data.
Security Advisory Status
F5 Product Development has assigned ID 825449 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |None | | | |
| | |15.1.0 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |None | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |13.1.0 - |None |Medium |6.5 |BIG-IP HA |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |None | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |None | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
F5 will not develop a fix for vulnerable products that do not already have a
fixed version listed in this article, and will not update this table with
subsequent vulnerable releases in the associated branches. F5 recommends that
you update to more recent, non-vulnerable versions whenever feasible. For more
information, refer to K4602: Overview of the F5 security vulnerability response
policy.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you can enable the statemirror.secure database
variable protect the VLAN used for mirroring from untrusted entities. To do so,
perform one of the following procedures:
o Enabling the statemirror.secure database variable
o Protecting the VLAN used for mirroring from untrusted entities
Enabling the statemirror.secure database variable
To enable the statemirror.secure database variable, perform the following
procedure:
Impact of action: Performing the following procedure should not have a negative
impact on your system.
1. Log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
2. To enable the statemirror.secure database variable, enter the following
command:
modify /sys db statemirror.secure value enable
Protecting the VLAN used for mirroring from untrusted entities
To prevent on-path attackers from exploiting this vulnerability, you can set up
a direct connection between the BIG-IP HA systems.
To reduce the risk of this vulnerability, you can also protect the VLAN used
for mirroring from untrusted entities. For more information, refer to the
Mirroring recommendations section of K14135: Defining network resources for
BIG-IP HA features (11.x - 15.x) and the Recommendations section of K84303332:
Overview of connection and persistence mirroring (13.x - 15.x).
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K03318649:BIG-IP QKView vulnerability CVE-2020-5890
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 02 Jul, 2020
Security Advisory Description
When creating a QKView, credentials for binding to LDAP servers used for remote
authentication of the BIG-IP administrative interface will not fully obfuscate
if they contain whitespace. (CVE-2020-5890)
Impact
The BIG-IP system may disclose sensitive information used for authentication
with Lightweight Directory Access Protocol (LDAP) servers to an unprivileged
user.
Security Advisory Status
F5 Product Development has assigned ID 823893 (BIG-IP), ID 836497 (BIG-IQ) to
this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0.2 | | | |
| | |15.1.0 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.0.0 - |14.1.2.5 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |13.1.0 - |13.1.3.4 |Low |3.3 |QKView |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.2 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |7.0.0 |None | | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |6.0.0 - |None | | | |
|Management | |6.1.0 | |Low |3.3 |QKView |
| +------+----------+----------+ | | |
| |5.x |5.2.0 - |None | | | |
| | |5.4.0 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K15106: Managing BIG-IQ product hotfixes
o K15113: BIG-IQ hotfix and point release matrix
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
- --------------------------------------------------------------------------------
K03386032:BIG-IP VE interface vulnerability CVE-2020-5881
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
When the BIG-IP Virtual Edition (VE) is configured with VLAN groups and there
are devices configured with OSPF connected to it, the Network Device
Abstraction Layer (NDAL) Interfaces can lock up and in turn disrupting the
communication between the mcpd and tmm processes (CVE-2020-5881).
Impact
This issue only affects BIG-IP VE. The BIG-IP system temporarily fails to
process traffic as it recovers from a Traffic Management Microkernel (TMM)
restart, and devices configured in a device group may fail over.
Security Advisory Status
F5 Product Development has assigned ID 789921 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0.2 | | | |
| | |15.1.0 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.0.0 - |14.1.2.4 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |13.1.0 - |None |Medium |5.3 |TMM |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K72423000:The BIG-IP AFM ACL and IPI features may not function as designed
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
This issue occurs when all of the following conditions are met:
o You have provisioned and configured the BIG-IP AFM module.
o Your system has active TCP mitigations.
Impact
Some BIG-IP AFM features like access control lists (ACLs) and IP Intelligence
(IPI) are not functional.
Symptoms
As a result of this issue, you may encounter the following symptom:
o Under certain conditions, ACLs, IPI, and other BIG-IP AFM features may not
function as designed.
Security Advisory Status
F5 Product Development has assigned ID 778869 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |15.1.0 |K2200: Most recent versions of F5 |
| | |software |
+------------------+-----------------+----------------------------------------+
|Point release/ |14.1.2.4 |K9502: BIG-IP hotfix and point release |
|hotfix |14.0.1.1 |matrix |
| |13.1.3.2 | |
+------------------+-----------------+----------------------------------------+
Security Advisory Recommended Actions
Workaround
You can avoid this issue by disabling the active TCP mitigations for the
TCP-half-open vector.
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K65720640:BIG-IP SSL state mirroring vulnerability CVE-2020-5886
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 02 Jul, 2020
Security Advisory Description
BIG-IP systems setup for connection mirroring in a High Availability (HA) pair
transfers sensitive cryptographic objects over an insecure communications
channel. This is a control plane issue which is exposed only on the network
used for connection mirroring. (CVE-2020-5886)
Impact
On-path attackers may be able to read and modify the Diffie-Hellman (DH)
parameters used by data plane SSL/TLS enabled virtual servers. Only HA pairs
with session mirroring or connection mirroring enabled are vulnerable.
Security Advisory Status
F5 Product Development has assigned ID 829121 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0.2 | | | |
| | |15.1.0 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.2.5 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |13.1.0 - |13.1.3.4 |Medium |4.8 |BIG-IP HA |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.2 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you can enable the statemirror.secure database
variable to protect the VLAN used for mirroring from untrusted entities. To do
so, perform one of the following procedures:
o Enabling the statemirror.secure database variable
o Protecting the VLAN used for mirroring from untrusted entities
Enabling the statemirror.secure database variable
Impact of action: Performing the following procedure should not have a negative
impact on your system.
1. Log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
2. To enable the statemirror.secure database variable, enter the following
command:
modify /sys db statemirror.secure value enable
Protecting the VLAN used for mirroring from untrusted entities
To prevent on-path attackers from exploiting this vulnerability, you can set up
a direct connection between the BIG-IP HA systems.
To reduce the risk of the vulnerability, you can also protect the VLAN used for
mirroring from untrusted entities. For more information, refer to the Mirroring
recommendations section of K14135: Defining network resources for BIG-IP HA
features (11.x - 15.x) and the Recommendations section of K84303332: Overview
of connection and persistence mirroring (13.x - 15.x).
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K73274382:BIG-IP Virtual Edition TMM vulnerability CVE-2020-5888
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
BIG-IP Virtual Edition (VE) may expose a mechanism for adjacent network (layer
2) attackers to access local daemons and bypass port lockdown settings. (
CVE-2020-5888)
Impact
Hosts in adjacent networks may be able to bypass port lockdown settings on
BIG-IP VE hosts.
Security Advisory Status
F5 Product Development has assigned ID ID832021 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| | |15.1.0 |15.1.0.2 | | | |
| |15.x |15.0.0 - |15.0.1.3 | | | |
| | |15.0.1 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.2.4 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | |TMM in |
|AFM, Analytics, +------+----------+----------+ | |Virtual |
|APM, ASM, DNS, FPS,|13.x |None |Not |Medium |5.4 |Edition |
|GTM, Link | | |applicable| | |BIGIP |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you can limit access to the local IPv6 F5
addresses using the following two methods:
o Creating a packet filter rule to limit access to IPv6 address fc00:f5::1
o Creating a BIG-IP AFM rule to limit access to IPv6 address fc00:f5::1
Creating a packet filter rule to limit access to IPv6 address fc00:f5::1
To create a packet filter rule, perform the following procedure:
1. Log in to the BIG-IP Configuration utility.
2. Navigate to Network > Packet Filters > Rules.
3. Select the Create button.
4. In the Name text box, enter the following content:
limit-access-to-fc00-f5-1-ipv6-rule
5. For Order, select Last.
6. For Action, select Discard.
7. For Filter Expression Method, select Enter Expression Text.
8. In the Filter Expression text box, enter the following content:
( ( ip6 ) ) and ( dst host fc00:f5::1 )
9. Select the Finished button.
Creating a BIG-IP AFM rule to limit access to IPv6 address fc00:f5::1
Note: To mitigate this issue, BIG-IP AFM must be licensed and provisioned.
If no BIG-IP AFM policies exist, you must first create a policy using the name
of your choice and apply it to the global BIG-IP AFM context, detailed in steps
1 through 8. Otherwise, skip steps 1 through 8 and proceed with step 9 after
you log in to the BIG-IP Configuration utility:
1. Log in to the BIG-IP Configuration utility.
2. Navigate to Security > Network Firewall > Policies.
3. Select the Create button and enter a policy name.
4. Select Finished.
5. Select the Active Rules tab.
6. Select the Global link under Active Rules List.
7. Under the Network Firewall section, change Enforcement to Enabled and
select the policy name that you created.
8. Click Update.
9. Navigate to Security > Network Firewall > Policies.
10. Select your policy, and then select the Add Rule button.
11. In the Rule fields, add the following from defaults:
Name: limit-access-to-fc00-f5-1-ipv6-afm-rule
Protocol: Any
Destination: fc00:f5::1 (Click the Add button after entering)
Action: Drop
12. Select the Done Editing button.
13. To activate the new rule, select the Commit Changes to System button.
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K54200228:BIG-IP iRules vulnerability CVE-2020-5877
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 18 Jun, 2020
Security Advisory Description
Malformed input to the DATAGRAM::tcp iRules command within a FLOW_INIT event
may lead to a denial of service. (CVE-2020-5877)
Impact
Remote attackers may be able to perform a denial-of-service (DoS) attack on the
BIG-IP system.
Security Advisory Status
F5 Product Development has assigned ID 830401 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| | |15.1.0 | | | | |
| |15.x |15.0.0 - |15.1.0.2 | | | |
| | |15.0.0 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.0.0 - |14.1.2.5 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |13.1.0 - |None |High |7.5 |iRules |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |None | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |11.6.5.2 | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K94325657:BIG-IP restjavad vulnerability CVE-2020-5880
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
The restjavad process may expose a way for attackers to upload arbitrary files
on the BIG-IP system, bypassing the authorization system. Resulting error
messages may also reveal internal paths of the server. (CVE-2020-5880)
Impact
A remote attacker may be able to fill the disk storage and make the BIG-IP host
inoperable.
Security Advisory Status
F5 Product Development has assigned ID 775833 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0 | | | |
| | |15.0.1 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.0.0 - |14.1.2.4 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |None |Not |Medium |6.5 |restjavad |
|GTM, Link | | |applicable| | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
There is scope for mitigation through employing standard best security
practices by limiting access to the Configuration utility to known IP addresses
and allowing access to to Configuration utility to trusted users only. For more
information, refer to K13092: Overview of securing access to the BIG-IP system.
Acknowledgements
F5 would like to acknowledge Ismael Goncalves for bringing this issue to our
attention, and for following the highest standards of responsible disclosure.
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K65372933:BIG-IP HTTP/2 vulnerability CVE-2020-5875
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
Under certain conditions, the Traffic Management Microkernel (TMM) may generate
a core file and restart while processing SSL traffic with an HTTP/2 full proxy.
(CVE-2020-5875)
Impact
If you have enabled HTTP/2, Message Routing Framework (MRF), and SSL, a certain
request sequence can trigger a condition that may cause TMM to generate a core
file and restart. An attacker may be able to cause a BIG-IP system to produce a
core file, disrupting the flow of traffic and causing a failover to a standby
system.
Security Advisory Status
F5 Product Development has assigned ID 802261 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0 | | | |
| | |15.0.1 |15.0.1.1 | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.2.4 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | |virtual |
|AFM, Analytics, +------+----------+----------+ | |servers |
|APM, ASM, DNS, FPS,|13.x |None |Not |High |7.5 |(HTTP MRF |
|GTM, Link | | |applicable| | |Router |
|Controller, PEM) +------+----------+----------+ | |option) |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------------------------------------------------------------
K24415506:BIG-IP APM portal access reflected XSS vulnerability CVE-2020-5889
Security Advisory
Original Publication Date: 30 Apr, 2020
Security Advisory Description
In BIG-IP APM portal access, a specially crafted HTTP request can lead to
reflected XSS after the BIG-IP APM system rewrites the HTTP response from the
untrusted backend server and sends it to the client. (CVE-2020-5889)
Impact
An attacker can craft a malicious URL and send it to a victim to launch a
cross-site scripting (XSS) attack.
Security Advisory Status
F5 Product Development has assigned IDs 864109 and 873469 (BIG-IP) to this
vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| | |15.1.0 |15.1.0.2 | | | |
| |15.x |15.0.0 - |15.0.1.3 | | | |
| | |15.0.1 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.0.0 - |14.1.2.4 | | | |
| | |14.1.2 | | | | |
| +------+----------+----------+ | |BIG-IP APM|
|BIG-IP (APM) |13.x |None |Not |Medium |4.9 |portal |
| | | |applicable| | |access |
| +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |14.x |None |Not | | | |
|BIG-IP (LTM, AAM, | | |applicable| | | |
|AFM, Analytics, +------+----------+----------+ | | |
|ASM, DNS, FPS, GTM,|13.x |None |Not |Not |None |None |
|Link Controller, | | |applicable|vulnerable| | |
|PEM) +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you can associate an iRule to the affected
BIG-IP APM virtual server. For more information about the iRule, contact F5
Support.
Acknowledgements
F5 would like to acknowledge Sai Mamidala of the Financial Industry Regulatory
Authority (FINRA) for bringing this issue to our attention and for following
the highest standards of responsible disclosure.
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- -----------------------------------------------------------------------------
K43404365:BIG-IP APM logs may contain random data after the APM session ID
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 14 May, 2020
Security Advisory Description
The BIG-IP APM system may log random data after the APM session ID in the /var/
log/apm logs. An additional 24 bytes of random information may be logged after
the APM session ID. This issue occurs when the following condition is met:
o You use the ACCESS::log command in an iRule associated with the BIG-IP APM
virtual server.
For more information on the ACCESS::log command, refer to Clouddocs
Access::log.
Impact
The characters logged after the APM session ID may leak random information.
Symptoms
As a result of this issue, you may encounter the following symptom:
o You observe random information logged in the /var/log/apm file, after the
APM session ID, similar to the following example:
notice tmm[20234]: 0149ffff:5: /Common/example-VS:45e70a52 virtual=/Common/example-VS
Security Advisory Status
F5 Product Development has assigned ID 788593 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |15.1.0 |K2200: Most recent versions of F5 |
| | |software |
+------------------+-----------------+----------------------------------------+
|Point release/ |15.0.1.3 |K9502: BIG-IP hotfix and point release |
|hotfix |14.1.2.4^1 |matrix |
+------------------+-----------------+----------------------------------------+
^1 BIG-IP 14.1.2.4 is not a supported release; please use a later release.
Refer to K5903: BIG-IP software support policy.
Security Advisory Recommended Actions
Workaround
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- ------------------------------------------------------------------------------
K63558580:BIG-IP crypto driver vulnerability CVE-2020-5872
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 14 May, 2020
Security Advisory Description
When processing TLS traffic with hardware cryptographic acceleration enabled on
platforms with Intel QAT hardware, the Traffic Management Microkernel (TMM) may
stop responding and cause a failover event. (CVE-2020-5872)
Impact
Hardware cryptographic acceleration fails and TMM may stop responding, which
causes a failover event if the BIG-IP system is configured as part of a device
group. This vulnerability applies to the following platforms:
o i4600, i4800, YK i4000
o i5600, i5800, HRC-i5000, HRC-i5800, i5820-DF
o i7600, i7800, i7000-D, i7820-DF
o i10600, i10800, i10000-D, HRC-i10800
o i11600, i11800, i11000-DS, i11000-D
o i15600, i15800, i15000-N
o VIPRION B4400N blade
Security Advisory Status
F5 Product Development has assigned ID 762453 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.
+-----------------+------+----------+----------+----------+------+------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to |introduced|Severity |score^|component or|
| | |be |in | |1 |feature |
| | |vulnerable| | | | |
+-----------------+------+----------+----------+----------+------+------------+
| |15.x |None |15.0.0 | | | |
| +------+----------+----------+ | | |
| | |14.1.0 - | | | | |
| |14.x |14.1.2 |14.1.2.4^2| | | |
| | |14.0.0 - |14.0.1.1 | | | |
|BIG-IP (LTM, AAM,| |14.0.1 | | | | |
|AFM, Analytics, +------+----------+----------+ | |SSL Profiles|
|APM, ASM, DNS, |13.x |13.1.0 - |13.1.3.2 |High |7.5 |- Hardware |
|FPS, GTM, Link | |13.1.3 | | | |acceleration|
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5 | | | |
| | |12.1.4 | | | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-----------------+------+----------+----------+----------+------+------------+
| |6.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized +------+----------+----------+vulnerable|None |None |
|Management |5.x |None |Not | | | |
| | | |applicable| | | |
+-----------------+------+----------+----------+----------+------+------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------------+------+----------+----------+----------+------+------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
^2BIG-IP 14.1.2.4 is not a supported release; please use a later release. Refer
to K5903: BIG-IP software support policy.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this issue, you can disable crypto hardware acceleration. To do so,
perform the following procedure:
Note: Disabling hardware-based crypto acceleration results in all crypto
actions processed in software, which may cause higher CPU and memory usage
based on traffic patterns.
Impact of workaround: The impact of the suggested workaround depends on the
specific environment. F5 recommends testing any such changes during a
maintenance window with consideration to the possible impact on your specific
environment.
1. Log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
2. Disable crypto hardware acceleration by entering the following command:
modify /sys db crypto.hwacceleration value disable
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- ------------------------------------------------------------------------------
K10701310:BIG-IP may not detect invalid Transfer-Encoding headers
Security Advisory
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 14 May, 2020
Security Advisory Description
This issue occurs when the conditions are met based on the BIG-IP module
provisioned and the affected version listed in the following table.
+-------+------------------------------------------------------------+--------+
|Product|Conditions that trigger the issue |Affected|
|(s) | |versions|
+-------+------------------------------------------------------------+--------+
| |For versions prior to 15.1.0, the implementation for | |
| |enforcing RFC compliance for the HTTP protocol is not | |
|BIG-IP |per-profile, it is global for all HTTP profiles by enabling |14.1.2.3|
|LTM |the Tmm.HTTP.RFC.Enforcement system database variable. When |12.1.5.1|
| |the database variable is enabled, the BIG-IP system is not | |
| |caught by the protocol compliance checks. | |
+-------+------------------------------------------------------------+--------+
|BIG-IP | | |
|AAM, |These products inherit HTTP features from BIG-IP LTM. |14.1.2.3|
|APM, | |12.1.5.1|
|PEM | | |
+-------+------------------------------------------------------------+--------+
| | |15.0.1 |
| | |15.0.0 |
|BIG-IP |The HTTP protocol security feature is configured and |14.1.2 |
|AFM |associated to a virtual server. |14.1.0 |
| | |13.1.x |
| | |12.1.x |
| | |11.6.x |
+-------+------------------------------------------------------------+--------+
| | |15.0.1 |
| | |15.0.0 |
|BIG-IP |An ASM security policy is configured with the enforcement of|14.1.2 |
|ASM |HTTP protocol RFC compliance. |14.1.0 |
| | |13.1.x |
| | |12.1.x |
| | |11.6.x |
+-------+------------------------------------------------------------+--------+
Impact
BIG-IP LTM, AAM, APM, and PEM may not drop invalid traffic as expected.
BIG-IP AFM and ASM may not block or alarm invalid traffic as expected.
Symptoms
As a result of this issue, you may encounter the following symptom:
o Detection of invalid Transfer-Encoding headers may not work as expected.
Security Advisory Status
F5 Product Development has assigned ID 831325 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |15.1.0 |K2200: Most recent versions of F5 |
| | |software |
+------------------+-----------------+----------------------------------------+
|Point release/ |15.0.1.1 |K9502: BIG-IP hotfix and point release |
|hotfix |14.1.2.4^1 |matrix |
+------------------+-----------------+----------------------------------------+
^1 BIG-IP 14.1.2.4 is not a supported release; please use a later release.
Refer to K5903: BIG-IP software support policy.
Security Advisory Recommended Actions
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX1/qOONLKJtyKPYoAQgN7RAAhvJ0jxNAUDR/2MjxqBgNsuwI7JByDRI1
FmbuoAIWTh3rvROQvUe+v2zdd4j4ESnktWbBqkd098vjAkgx9eD6dYqhsTTfttsl
88MJG/W3ZupPbbbLakrYM+PgOAfBieG435eDDPbf8bts+nmCfQFZ/cL3V5YaYe+X
UuqY4OiofmVHvSamXP6JX+pBpqHN9GHQufIfaZWrUCddf0x+cdyR4oQmRjakD+g9
jmuXgXmRrbe9ZxSRg6Hn3inVOe0n5Oo6sD0TIHY3tUmmP6p0WSaqqsjdjlIVwyby
DXPlZ3VoA57SdJSrseBxryQP2+zkRXdqYT1SuBZuWZI7nfJ/DV+Uf4K4/RSpEbd4
5IC2ZK1rqvVapHS+BMtglVJC0u5IqClaLPWob0Ka8cjvh2wrpoBKA+w7NQD5HkN+
OlRXUJzU2quOobnzVhfmqOh9JF56gI41UKSOJLMExsUzQQzA+BPEXGtw9cbgcgX5
nEuQ2ZEU/Brp5WwA4CnwFmXGu+VRpP3zCz8QpNArwNh9FgHw6QM1gwxvHt9l1NzU
ymmxYc//LPb+TVylvOe3vu53WeqZMNxczI6TB239RUe5mqQron7W4CIaQrkG9oOO
HyyPz39INm7FbPJY6KNjIcSgWMciDDGZQ02omxxeFu26VmJ0JxrWpqaCXfEZBVDv
JsJt/05BEe4=
=sHwk
-----END PGP SIGNATURE-----
The post ESB-2020.1551.6 – UPDATE [Appliance] F5 BIG-IP Products: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2020/09/15/esb-2020-1551-6-update-appliance-f5-big-ip-products-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-1551-6-update-appliance-f5-big-ip-products-multiple-vulnerabilities
