K000137368 : Overview of F5 vulnerabilities (October 26, 2023)

Security Advisory Description

On October 26, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.

• Critical CVEs
• High CVEs
• Security Exposures

Critical CVEs

17.1.1.1
17.1.1 + Hotfix-BIGIP-17.1.1.0.2.6-ENG2
17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG2
16.1.4.2
16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG2
15.1.10.3
15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG2
14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG2
13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG2

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

2F5 has fixed this issue in an engineering hotfix that is available for versions of the BIG-IP system which have not yet reached End of Software Development. Customers affected by this issue can download the engineering hotfix from the MyF5 Downloads page. After selecting your product and version from the Downloads page, scroll to the bottom of the page to locate the hotfix file. For example, to download Hotfix-BIGIP-17.1.0.3.0.75.4-ENG, select 17.1.0.3, then scroll down to selectHotfix-BIGIP-17.1.0.3.0.75.4-ENG.iso. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.

High CVEs

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

2F5 has fixed this issue in an engineering hotfix that is available for versions of the BIG-IP system which have not yet reached End of Software Development. Customers affected by this issue can download the engineering hotfix from the MyF5 Downloads page. After selecting your product and version from the Downloads page, scroll to the bottom of the page to locate the hotfix file. For example, to download Hotfix-BIGIP-17.1.0.3.0.75.4-ENG, select 17.1.0.3, then scroll down to selectHotfix-BIGIP-17.1.0.3.0.75.4-ENG.iso. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.

Security Exposures

K000137322: BIG-IP iRule or LTM policy may generate multiple HTTP redirect responses

| BIG-IP (all modules)| 17.1.0 - 17.1.1
16.1.0 - 16.1.4
15.1.0 - 15.1.10
14.1.0 - 14.1.5
13.1.0 - 13.1.5| 17.1.1.1
16.1.4.2
15.1.10.3
BIG-IP Next (all modules)| 20.0.1| None
BIG-IP Next SPK| 1.5.0 - 1.8.2| None
BIG-IP Next CNF| 1.1.0 - 1.1.1| None

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.