F5 Products Multiple Vulnerabilities
Multiple vulnerabilities were identified in F5 Products, attacker can exploit this vulnerability to trigger remote code execution, denial of service condition and elevation of privilege on the targeted system.
Note:
No patch is currently available for CVE-2016-9840, CVE-2016-9841, CVE-2019-17563, CVE-2020-8037, CVE-2023-2650 and CVE-2023-45853 of the affected products. No patch or workaround is currently available for CVE-2024-6119. Hence, the risk level is rated as High Risk.
RISK: High Risk
TYPE: Operating Systems – Networks OS
Impact
- Denial of Service
- Elevation of Privilege
- Remote Code Execution
System / Technologies affected
BIG-IP (all modules)
- 17.0.0 – 17.1.2
- 16.0.0 – 16.1.5
- 15.0.0 – 15.1.10
- 14.1.0 – 14.1.5
- 13.1.0 – 13.1.5
- 12.1.0 – 12.1.6
- 11.5.2 – 11.6.5
BIG-IQ Centralized Management
- 8.0.0 – 8.3.0
BIG-IP Next (LTM)
- 20.2.0 – 20.3.0
BIG-IP Next SPK
- 1.7.0 – 1.9.2
BIG-IP Next CNF
- 1.1.0 – 1.4.0
APM Clients
- 7.2.4 – 7.2.5
F5OS-A
- 1.8.0
- 1.7.0
- 1.5.0 – 1.5.2
- 1.4.0
- 1.3.0 – 1.3.2
F5OS-C
- 1.8.0
- 1.6.0 – 1.6.2
- 1.5.0 – 1.5.1
Traffix SDC
- 5.2.0
- 5.1.0
Solutions
Workaround:
Mitigate the vulnerability of attacks by following workaround:
For CVE-2016-9840:
- Disable HTTP compression on the BIG-IP system.
- Disable compression in iRules.
Please visit the vendor web-site for more details.
Apply workarounds issued by the vendor:
For CVE-2019-17563:
- Block Configuration utility access through self IP addresses.
- Block Configuration utility access through the management interface.
Please visit the vendor web-site for more details.
Apply workarounds issued by the vendor:
For CVE-2023-45853:
- Ensure that the affected system accepts ZIP files from only trusted users.
Please visit the vendor web-site for more details.
Apply workarounds issued by the vendor:
For CVE-2023-2650:
- Do not configure client certificate authentication for the Client SSL profile or server certificate authentication for the Server SSL profile (For BIG-IP)
- Do not configure httpd for client-side certificate authentication in the server. If client-side certificates have been previously implemented, remove them (For BIG-IP and BIG-IQ)
Please visit the vendor web-site for more details.
Apply workarounds issued by the vendor:
For CVE-2020-8037:
- Block SSH access through self IP addresses (For BIG-IP)
- Block SSH access through the management interface (For BIG-IP)
- Restrict CLI access to the root user (For F5OS)
Please visit the vendor web-site for more details.
Apply workarounds issued by the vendor:
For CVE-2016-9841:
- Disable HTTP compression (For BIG-IP)
- Disable compression in network access and connectivity profiles (For BIG-IP APM Clients)
Please visit the vendor web-site for more details.
Apply workarounds issued by the vendor:
Vulnerability Identifier
Source
Related Link
- https://my.f5.com/manage/s/article/K000149905
- https://my.f5.com/manage/s/article/K24551552
- https://my.f5.com/manage/s/article/K000149884
- https://my.f5.com/manage/s/article/K000135178
- https://my.f5.com/manage/s/article/K000149304
- https://my.f5.com/manage/s/article/K000149929
- https://my.f5.com/manage/s/article/K000149915
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
