F5F5:K000138353K000138353 : Quarterly Security Notification (February 2024)
Security Advisory Description
On February 14, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.
You can watch the February 2024 Quarterly Security Notification briefing by DevCentral in the following video:
- High CVEs
- Medium CVEs
- Low CVEs
- Security Exposures
High CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|
| K000137522: BIG-IP iControl REST vulnerability CVE-2024-22093 | 8.7 | BIG-IP (all modules) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.8 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.9 | ||||
| K000134516: BIG-IP SSL Client Certificate LDAP and CRLDP Authentication profiles vulnerability CVE-2024-23979 | 7.5 | BIG-IP (all modules) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.8 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.9 | ||||
| K000135873: BIG-IP Websockets vulnerability CVE-2024-21849 | 7.5 | BIG-IP (Advanced WAF/ASM) | ||
| 16.1.0 - 16.1.3 | 17.1.0 | |||
| 16.1.4 | ||||
| K000135946: BIG-IP PEM vulnerability CVE-2024-23982 | 7.5 | BIG-IP (PEM) | 17.1.0 - 17.1.12 | |
| 16.1.0 - 16.1.42 | ||||
| 15.1.0 - 15.1.102 | None2 | |||
| K000137270: BIG-IP Advanced WAF and BIG-IP ASM and vulnerability CVE-2024-21789 | 7.5 | BIG-IP (Advanced WAF/ASM) | 17.1.0 | 17.1.1 |
| K000137333: BIG-IP TMM vulnerability CVE-2024-24775 | 7.5 | BIG-IP (all modules) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.9 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.10 | ||||
| K000137334: F5 Application Visibility and Reporting module and BIG-IP Advanced WAF/ASM vulnerability CVE-2024-23805 | 7.5 | Application Visibility and Reporting module and BIG-IP (Advanced WAF/ASM) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.9 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.10 | ||||
| K000137416: BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308 | 7.5 | BIG-IP (Advanced WAF/ASM) | 17.1.0 | 17.1.1 |
| K000137521: BIG-IP AFM vulnerability CVE-2024-21763 | 7.5 | BIG-IP (AFM) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.9 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.10 | ||||
| K000137595: BIG-IP AFM signature matching vulnerability CVE-2024-21771 | 7.5 | BIG-IP (AFM + IPS) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.8 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.9 | ||||
| K000137675: BIG-IP HTTP/2 vulnerability CVE-2024-23314 | 7.5 | BIG-IP (all modules) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.8 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.9 | ||||
| BIG-IP Next SPK | 1.5.0 - 1.8.0 | 1.8.1 | ||
| K000138444: NGINX HTTP/3 QUIC vulnerability CVE-2024-24989 | 7.5 | NGINX Plus | R31 | R31 P1 |
| NGINX Open Source | 1.25.3 | 1.25.4 | ||
| K000138445: NGINX HTTP/3 QUIC vulnerability CVE-2024-24990 | 7.5 | NGINX Plus | R30 - R31 | R31 P1 |
| R30 P2 | ||||
| NGINX Open Source | 1.25.0 - 1.25.3 | 1.25.4 | ||
| K32544615: BIG-IP iControl REST API vulnerability CVE-2024-22389 | 7.2 | BIG-IP (all modules) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.8 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.9 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
2None of the classification signatures included with any BIG-IP ISO files are affected by this issue. The vulnerable classification signatures were available for download on MyF5 between 09-08-2022 and 02-16-2023. If you manually updated your signature file during this time, your system may be running a vulnerable version. Additionally, if you had automatic downloads enabled on your BIG-IP PEM system during this time, your system may be running a vulnerable version. For a list of affected and fixed signatures, and to determine which signatures your system is running, refer to the article.
Medium CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|
| K98606833: BIG-IP and BIG-IQ scp vulnerability CVE-2024-21782 | 6.7 | BIG-IP (all modules) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.8 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.9 | ||||
| BIG-IQ Centralized Manager | 8.0.0 - 8.3.0 | 8.3.0 + Hotfix-BIG-IQ-8.3.0.0.16.118-ENG2 | ||
| K000133111: F5OS vulnerability CVE-2024-24966 | 6.2 | F5OS-A | 1.2.0 | 1.3.0 |
| F5OS-C | 1.3.0 - 1.5.1 | 1.6.0 | ||
| K91054692: BIG-IP Appliance mode iAppsLX vulnerability CVE-2024-23976 | 6.0 | BIG-IP (all modules) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.8 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.9 | ||||
| K000132800: F5OS QKView utility vulnerability CVE-2024-23607 | 5.5 | F5OS-A | 1.3.0 - 1.3.2 | 1.4.0 |
| F5OS-C | 1.3.0 - 1.5.1 | 1.6.0 | ||
| K000137886: BIG-IP Next CNF vulnerability CVE-2024-23306 | 4.4 | BIG-IP Next CNF | 1.1.0 - 1.1.1 | 1.2.0 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
2F5 has fixed this issue in an engineering hotfix that is available for versions of the BIG-IQ system which have not yet reached End of Software Development. Customers affected by this issue can download the engineering hotfix from the MyF5 Downloads page. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.
Low CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|
| K000138047: BIG-IP Advanced WAF and BIG-IP ASM Configuration utility vulnerability CVE-2024-23603 | 3.8 | BIG-IP (Advanced WAF/ASM) | 17.1.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.9 | 17.1.1 | |||
| 16.1.4 | ||||
| 15.1.10 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Security Exposures
| Article (Exposure) | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|
| K11453402: BIG-IP Cookie encryption security exposure | BIG-IP Next SPK | 1.5.0 - 1.8.0 | 1.8.2 |
| BIG-IP Next CNF | 1.1.0 - 1.1.1 | 1.2.0 | |
| BIG-IP (all modules) | 16.1.0 - 16.1.3 | ||
| 15.1.0 - 15.1.8 | 17.1.0 | ||
| 16.1.4 | |||
| 15.1.9 | |||
| K000137796: BIG-IP SSL profile security exposure | BIG-IP (all modules) | 17.1.0 | |
| 16.1.0 - 16.1.4 | |||
| 15.1.0 - 15.1.10 | 17.1.1 | ||
| 16.1.4.2 | |||
| 15.1.10.3 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Related
