5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.007 Low
EPSS
Percentile
78.4%
F5 Product Development has assigned IDs 739439 and 739444 (BIG-IP, BIG-IQ and F5 iWorkflow) and ID 739439 (Enterprise Manager) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H11068141 on the Diagnostics >Identified>Medium page.
To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning.
Product | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature |
---|---|---|---|---|---|---|
BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) | 14.x | 14.0.0 | None | Medium | 4.7 | Python |
13.x | 13.0.0 - 13.1.1 | None | ||||
12.x | 12.1.0 - 12.1.3 | None | ||||
11.x | 11.5.0 - 11.6.3 | None | ||||
Enterprise Manager | 3.x | 3.1.1 | ||||
None | Not applicable | Medium | 4.7 | Python | ||
BIG-IQ Centralized Management | 6.x | 6.0.0 - 6.0.1 | None | Medium | 4.7 | Python |
5.x | 5.0.0 - 5.4.0 | None | ||||
4.x | 4.6.0 | None | ||||
BIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None | Medium | 4.7 | None |
F5 iWorkflow | 2.x | 2.3.0 | None | Medium | 4.7 | None |
Traffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None |
4.x | None | Not applicable |
1 The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theFixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, ensure that Python scripts communicate only with trusted servers. Manually download and install update packages instead of using the automated IP Intelligence (IPI) update scripts, which access external update servers. IPI is not enabled by default in the BIG-IP system.
Even though the default setting for IPI is Disabled, the BIG-IP system will be vulnerable if the user installs their own Python scripts that use these vulnerable libraries to make calls to external sites that have X.509 certificates. You must have Admin privileges to install non-standard Python scripts. Be sure to restrict system access to only trusted users.