Security Advisory Description
On May 8, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.
You can watch the May 2024 Quarterly Security Notification briefing by DevCentral in the following video:
High CVEs
Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
---|---|---|---|---|
K000138636: BIG-IP Configuration utility XSS vulnerability CVE-2024-31156 | 8.0 | BIG-IP (all modules) | 17.1.0 - 17.1.1 | |
16.1.0 - 16.1.4 | ||||
15.1.0 - 15.1.10 | 17.1.1.3 | |||
16.1.4.3 | ||||
15.1.10.4 | ||||
K000138732: BIG-IP Next Central Manager OData Injection vulnerability CVE-2024-21793 | 7.5 | BIG-IP Next Central Manager | 20.0.1 - 20.1.0 | 20.2.0 |
K000138733: BIG-IP Next Central Manager SQL Injection vulnerability CVE-2024-26026 | 7.5 | BIG-IP Next Central Manager | 20.0.1 - 20.1.0 | 20.2.0 |
K000138728: BIG-IP IPsec vulnerability CVE-2024-33608 | 7.5 | BIG-IP (all modules) | 17.1.0 | 17.1.1 |
K000139037: TMM vulnerability CVE-2024-25560 | 7.5 | BIG-IP (AFM) | 17.1.0 | |
16.1.0 - 16.1.3 | ||||
15.1.10 | 17.1.1 | |||
16.1.4 | ||||
BIG-IP Next CNF | 1.1.0 - 1.1.1 | 1.2.0 | ||
K000138634: BIG-IP Next Central Manager vulnerability CVE-2024-32049 | 7.4 | BIG-IP Next Central Manager | 20.0.1 - 20.0.2 | 20.1.0 |
K000138744: BIG-IP APM browser network access VPN client vulnerability CVE-2024-28883 | 7.4 | BIG-IP (APM) | 17.1.0 | |
16.1.0 - 16.1.4 | ||||
15.1.0 - 15.1.10 | 17.1.1 | |||
16.1.4.2 | ||||
15.1.10.3 | ||||
APM Clients | 7.2.3 - 7.2.4 | 7.2.4.42 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
2The fixed versions of APM Client introduce a change in behavior. For more information, refer to K000136020: BIG-IP APM EPI blocks VPN connections to HTTP and untrusted HTTPS virtual servers on web browsers.
Medium CVEs
Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
---|---|---|---|---|
K000139012: BIG-IP Next Central Manager vulnerability CVE-2024-33612 | 6.8 | BIG-IP Next Central Manager | 20.0.1 - 20.1.0 | 20.2.02 |
K000139217: BIG-IP TMM tenants on VELOS and rSeries vulnerability CVE-2024-32761 | 6.5 | BIG-IP (all modules) | 15.1.0 - 15.1.9 | 15.1.10 |
K000138894: BIG-IP Configuration utility XSS vulnerability CVE-2024-33604 | 6.1 | BIG-IP (all modules) | 17.1.0 - 17.1.1 | |
16.1.0 - 16.1.4 | ||||
15.1.0 - 15.1.10 | 17.1.1.3 | |||
16.1.4.3 | ||||
15.1.10.4 | ||||
K000138912: BIG-IP SSL vulnerability CVE-2024-28889 | 5.9 | BIG-IP (all modules) | 17.1.0 - 17.1.1 | |
16.1.2.1 - 16.1.4 | ||||
15.1.5 - 15.1.10 | 17.1.1.3 | |||
16.1.4.3 | ||||
15.1.10.4 | ||||
K000138520: BIG-IP Configuration utility vulnerability CVE-2024-27202 | 4.7 | BIG-IP (all modules) | 17.1.0 - 17.1.1 | |
16.1.0 - 16.1.4 | ||||
15.1.0 - 15.1.10 | 17.1.1.3 | |||
16.1.4.3 | ||||
15.1.10.4 | ||||
K000138913: BIG-IP Next CNF vulnerability CVE-2024-28132 | 4.4 | BIG-IP Next CNF | 1.2.0 - 1.2.1 | 1.3.0 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
2When running the fixed BIG-IP Next Central Manager version 20.2.0 for F5OS type providers (F5 VELOS/Chassis partitions or rSeries) ensure that the TLS certificate used by these F5OS systems has well-formed Subject Alternative Names (SAN).
Security Exposures
Article (Exposure) | Affected products | Affected versions1 | Fixes introduced in |
---|
K000132430: The BIG-IP system may fail to block HTTP Request Smuggling attacks
| BIG-IP (all modules)| 16.1.0 - 16.1.3
15.1.0 - 15.1.8| 17.1.0
16.1.4
15.1.9
BIG-IP Next SPK| 1.5.0 - 1.6.0| 1.7.0
K11342432: BIG-IP HTTP non-RFC-compliant security exposure
| BIG-IP (Advanced WAF/ASM)| 16.1.0 - 16.1.3
15.1.0 - 15.1.6| 17.1.0
16.1.4
15.1.7
BIG-IP (all other modules)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5| 17.1.0
16.1.2.2
15.1.5.1
| BIG-IP (Advanced WAF/ASM)| 17.1.0 - 17.1.1
16.1.0 - 16.1.4
15.1.0 - 15.1.10| 17.1.1.3
16.1.4.3
15.1.10.4
BIG-IP Next (WAF)| 20.0.1 - 20.1.0| 20.2.0
NGINX App Protect WAF| 4.0.0 - 4.8.0
3.10.0 - 3.12.2| 4.8.1
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
CPE | Name | Operator | Version |
---|---|---|---|
big-ip apm | eq | 15.1.0 | |
big-ip apm | eq | 15.1.1 | |
big-ip apm | eq | 15.1.10 | |
big-ip apm | eq | 15.1.2 | |
big-ip apm | eq | 15.1.3 | |
big-ip apm | eq | 15.1.4 | |
big-ip apm | eq | 15.1.5 | |
big-ip apm | eq | 15.1.6 | |
big-ip apm | eq | 15.1.7 | |
big-ip apm | eq | 15.1.8 |