01.21.2022
Multiple F5 Vulnerabilities Affecting all Modules of F5 Products
Date of Notice: 01/21/2022
Action Level - High to Medium
Description
F5 recently released patches for v14, v15, and v16 of their Big-IP products as well as NGINX Controller API Management v3.18.0 - v3.19.0. F5 has these published in K40084114. It is recommended that you review F5’s KB to determine your impact, these vulnerabilities are wide ranging and affect various versions of LTM, APM, ASM specifically, with some vulnerabilities affecting all modules. The vulnerabilities tend to cause a reboot of TMM which can result in a denial of service in most cases, memory leaks in others, and certain ones can permit the ability to inject traffic into a given flow.
Affected Devices (Various)
- Big-IP V11-16
- Fixes available for V14 - V16
- Big-IP All Modules
- Big-IQ Centralized Management
- DNS/GTM
- APM
- AFM
- WAF
- ASM
- NGINX Controller API Management
- NGINX App Protect
Mitigation
- In multiple scenarios the attack causes TMM to reboot, stopping the passing of traffic. A HA setup can mitigate impact caused by these reboots
- Certain attacks could cause excessive memory usage, impacting operation. A HA setup can mitigate this impact and alerting can give early warning to permit a reboot to clear the memory bloat.
- Certain attacks require an authenticated user, ensure only trusted users have accounts and only restrict access via network controls. Don’t copy/paste commands that you aren’t able to understand into the device.
- While these attacks require specific settings to be present, it is advised against removing these settings as a means of mitigation due to the often required presence. If unsure of what a given profile does, don’t remove it.
Remediation
- Review the F5 KB and upgrade to the recommended software version.
Collected Links