iControl vulnerability CVE-2014-2928

2015-09-15T09:00:00
ID F5:K15220
Type f5
Reporter f5
Modified 2019-05-08T19:30:00

Description

F5 Product Development has assigned ID 448802 (BIG-IP and Enterprise Manager) and ID 484170 (BIG-IQ) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, BIG-IP iHealth may list Heuristic H484322 on the Diagnostics > Identified > High page.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.

Product | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature
---|---|---|---
BIG-IP LTM | 11.0.0 - 11.5.1 | 11.6.0
11.5.2
11.2.1 HF15
10.0.0 - 10.2.4 | iControl
BIG-IP AAM | 11.4.0 - 11.5.1 | 11.6.0
11.5.2 | iControl
BIG-IP AFM | 11.3.0 - 11.5.1 | 11.6.0
11.5.2 | iControl
BIG-IP Analytics | 11.0.0 - 11.5.1 | 11.6.0
11.5.2
11.2.1 HF15 | iControl
BIG-IP APM | 11.0.0 - 11.5.1 | 11.6.0
11.5.2
11.2.1 HF15
10.1.0 - 10.2.4 | iControl
BIG-IP ASM | 11.0.0 - 11.5.1 | 11.6.0
11.5.2
11.2.1 HF15
10.0.0 - 10.2.4 | iControl
BIG-IP Edge Gateway | 11.0.0 - 11.3.0 | 11.2.1 HF15
10.1.0 - 10.2.4 | iControl
BIG-IP GTM | 11.0.0 - 11.5.1 | 11.6.0
11.5.2
11.2.1 HF15
10.0.0 - 10.2.4 | iControl
BIG-IP Link Controller | 11.0.0 - 11.5.1 | 11.6.0
11.5.2
11.2.1 HF15
10.0.0 - 10.2.4 | iControl
BIG-IP PEM | 11.3.0 - 11.5.1 | 11.6.0
11.5.2 | iControl
BIG-IP PSM | 11.0.0 - 11.4.1 | 11.2.1 HF15
10.0.0 - 10.2.4 | iControl
BIG-IP WebAccelerator | 11.0.0 - 11.3.0 | 11.2.1 HF15
10.0.0 - 10.2.4 | iControl
BIG-IP WOM | 11.0.0 - 11.3.0 | 11.2.1 HF15
10.0.0 - 10.2.4 | iControl
ARX | None | 6.0.0 - 6.4.0 | None
Enterprise Manager | 3.0.0 - 3.1.1 | 2.1.0 - 2.3.0
3.1.1 HF2 | iControl
FirePass | None | 7.0.0
6.0.0 - 6.1.0 | None
BIG-IQ Cloud | 4.0.0 - 4.4.0 | None | iControl
BIG-IQ Device | 4.2.0 - 4.4.0 | None | iControl
BIG-IQ Security | 4.0.0 - 4.4.0 | None | iControl

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you should permit access to F5 products only over a secure network and limit login access to trusted users.

F5 would like to acknowledge Brandon Perry of ZeniMax Online for bringing this issue to our attention.

Note: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.