TMM vulnerability CVE-2016-7468

2017-03-23T00:45:00
ID F5:K13053402
Type f5
Reporter f5
Modified 2017-04-04T19:52:00

Description

F5 Product Development has assigned ID 611830 (BIG-IP) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H13053402 on the Diagnostics > Identified > High screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature
---|---|---|---|---
BIG-IP LTM| 11.4.0 - 11.5.4 HF2| 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.4 HF3
11.2.1| High| TMM
BIG-IP AAM| 11.4.0 - 11.5.4 HF2| 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.4 HF3| High| TMM
BIG-IP AFM| 11.4.0 - 11.5.4 HF2| 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.4 HF3| High| TMM
BIG-IP Analytics| 11.4.0 - 11.5.4 HF2| 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.4 HF3
11.2.1| High| TMM
BIG-IP APM| 11.4.0 - 11.5.4 HF2| 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.4 HF3
11.2.1| High| TMM
BIG-IP ASM| 11.4.0 - 11.5.4 HF2| 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.4 HF3
11.2.1| High| TMM
BIG-IP DNS| None| 13.0.0
12.0.0 - 12.1.2| Not Vulnerable| None
BIG-IP Edge Gateway| None| 11.2.1| Not Vulnerable| None
BIG-IP GTM| 11.4.0 - 11.5.4 HF2| 11.6.0 - 11.6.1
11.5.4 HF3
11.2.1| High| TMM
BIG-IP Link Controller| 11.4.0 - 11.5.4 HF2
| 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.4 HF3
11.2.1| High| TMM
BIG-IP PEM| 11.4.0 - 11.5.4 HF2| 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.4 HF3| High| TMM
BIG-IP PSM| 11.4.0 - 11.4.1| None| High| TMM
BIG-IP WebAccelerator| None| 11.2.1| Not Vulnerable| None
BIG-IP WebSafe| None| 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1| Not Vulnerable

| None
ARX| None| 6.2.0 - 6.4.0| Not vulnerable| None
Enterprise Manager| None| 3.1.1| Not vulnerable | None
FirePass| None| 7.0.0| Not vulnerable | None
BIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None
BIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable | None
BIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None
BIG-IQ ADC| None| 4.5.0| Not vulnerable | None
BIG-IQ Centralized Management| None| 5.1.0
4.6.0| Not vulnerable | None
BIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable | None
F5 iWorkflow| None| 2.0.0 - 2.1.0| Not vulnerable | None
LineRate| None| 2.5.0 - 2.6.2| Not vulnerable | None
Traffix SDC| None| 5.0.0 - 5.1.0
4.0.0 - 4.4.0| Not vulnerable| None

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

This vulnerability affects the BIG-IP system only when the tm.tcpprogressive database variable value is set to enabled. The default value for the tm.tcpprogressive database variable is negotiate.

Determining the tm.tcpprogressive database value

To determine the tm.tcpprogressive database variable's current value, perform the following procedure:

Impact of action: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

  1. Determine the current value of the tm.tcpprogressive database variable by typing the following command:

list sys db tm.tcpprogressive

  1. Exit the tmsh utility by typing the following command:

quit