logo
DATABASE RESOURCES PRICING ABOUT US

XSS vulnerability in echo.jsp CVE-2014-4023

Description

F5 Product Development has assigned ID 470796 (BIG-IP) and ID 476101 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) lists Heuristic H476300 on the **Diagnostics** > **Identified** > **High** screen. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature ---|---|---|--- BIG-IP LTM| 11.0.0 - 11.5.1 10.1.0 - 10.2.4| 11.6.0 11.5.2 11.5.1 HF6 11.4.1 HF9 10.2.4 HF12| Configuration utility BIG-IP AAM| 11.4.0 - 11.5.1| 11.6.0 11.5.2 11.5.1 HF6 11.4.1 HF9| Configuration utility BIG-IP AFM| 11.3.0 - 11.5.1| 11.6.0 11.5.2 11.5.1 HF6 11.4.1 HF9| Configuration utility BIG-IP Analytics| 11.0.0 - 11.5.1| 11.6.0 11.5.2 11.5.1 HF6 11.4.1 HF9| Configuration utility BIG-IP APM| 11.0.0 - 11.5.1 10.1.0 - 10.2.4| 11.6.0 11.5.2 11.5.1 HF6 11.4.1 HF9 10.2.4 HF12| Configuration utility BIG-IP ASM| 11.0.0 - 11.5.1 10.1.0 - 10.2.4| 11.6.0 11.5.2 11.5.1 HF6 11.4.1 HF9 10.2.4 HF12| Configuration utility BIG-IP Edge Gateway| 11.0.0 - 11.3.0 10.1.0 - 10.2.4| 10.2.4 HF12| Configuration utility BIG-IP GTM| 11.0.0 - 11.5.1 10.1.0 - 10.2.4| 11.6.0 11.5.2 11.5.1 HF6 11.4.1 HF9 10.2.4 HF12| Configuration utility BIG-IP Link Controller| 11.0.0 - 11.5.1 10.1.0 - 10.2.4| 11.6.0 11.5.2 11.5.1 HF6 11.4.1 HF9 10.2.4 HF12| Configuration utility BIG-IP PEM| 11.3.0 - 11.5.1| 11.6.0 11.5.2 11.5.1 HF6 11.4.1 HF9| Configuration utility BIG-IP PSM| 11.0.0 - 11.4.1 10.1.0 - 10.2.4| 11.4.1 HF9 10.2.4 HF12| Configuration utility BIG-IP WebAccelerator| 11.0.0 - 11.3.0 10.1.0 - 10.2.4| 10.2.4 HF12| Configuration utility BIG-IP WOM| 11.0.0 - 11.3.0 10.1.0 - 10.2.4| 10.2.4 HF12| Configuration utility ARX| None| 6.0.0 - 6.4.0| None Enterprise Manager| 3.0.0 - 3.1.1 2.1.0 - 2.3.0| None| Configuration utility FirePass| None| 7.0.0 6.0.0 - 6.1.0| None BIG-IQ Cloud| None| 4.0.0 - 4.3.0| None BIG-IQ Device| None| 4.2.0 - 4.3.0| None BIG-IQ Security| None| 4.0.0 - 4.3.0| None **Note:** The hotfixes listed in the **Versions known to be not vulnerable** column address all of the aforementioned vulnerabilities. If the previous table lists a version in the **Versions known to be not vulnerable column**, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists. To mitigate this vulnerability, you can limit Configuration utility access to a trusted management network. F5 would like to acknowledge Stefan Viehböck of SEC Consult Vulnerability Lab for bringing this issue to our attention, and for following the highest standards of responsible disclosure. * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>) * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>) * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>) * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>) * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>) * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>) * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>) * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)


Related