XSS vulnerability in echo.jsp CVE-2014-4023

2014-08-25T23:02:00
ID F5:K15532
Type f5
Reporter f5
Modified 2017-03-14T00:51:00

Description

F5 Product Development has assigned ID 470796 (BIG-IP) and ID 476101 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, BIG-IP iHealth lists Heuristic H476300 on the Diagnostics > Identified > High screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature
---|---|---|---
BIG-IP LTM| 11.0.0 - 11.5.1
10.1.0 - 10.2.4| 11.6.0
11.5.2
11.5.1 HF6
11.4.1 HF9
10.2.4 HF12| Configuration utility
BIG-IP AAM| 11.4.0 - 11.5.1| 11.6.0
11.5.2
11.5.1 HF6
11.4.1 HF9| Configuration utility
BIG-IP AFM| 11.3.0 - 11.5.1| 11.6.0
11.5.2
11.5.1 HF6
11.4.1 HF9| Configuration utility
BIG-IP Analytics| 11.0.0 - 11.5.1| 11.6.0
11.5.2
11.5.1 HF6
11.4.1 HF9| Configuration utility
BIG-IP APM| 11.0.0 - 11.5.1
10.1.0 - 10.2.4| 11.6.0
11.5.2
11.5.1 HF6
11.4.1 HF9
10.2.4 HF12| Configuration utility
BIG-IP ASM| 11.0.0 - 11.5.1
10.1.0 - 10.2.4| 11.6.0
11.5.2
11.5.1 HF6
11.4.1 HF9
10.2.4 HF12| Configuration utility
BIG-IP Edge Gateway| 11.0.0 - 11.3.0
10.1.0 - 10.2.4| 10.2.4 HF12| Configuration utility
BIG-IP GTM| 11.0.0 - 11.5.1
10.1.0 - 10.2.4| 11.6.0
11.5.2
11.5.1 HF6
11.4.1 HF9
10.2.4 HF12| Configuration utility
BIG-IP Link Controller| 11.0.0 - 11.5.1
10.1.0 - 10.2.4| 11.6.0
11.5.2
11.5.1 HF6
11.4.1 HF9
10.2.4 HF12| Configuration utility
BIG-IP PEM| 11.3.0 - 11.5.1| 11.6.0
11.5.2
11.5.1 HF6
11.4.1 HF9| Configuration utility
BIG-IP PSM| 11.0.0 - 11.4.1
10.1.0 - 10.2.4| 11.4.1 HF9
10.2.4 HF12| Configuration utility
BIG-IP WebAccelerator| 11.0.0 - 11.3.0
10.1.0 - 10.2.4| 10.2.4 HF12| Configuration utility
BIG-IP WOM| 11.0.0 - 11.3.0
10.1.0 - 10.2.4| 10.2.4 HF12| Configuration utility
ARX| None| 6.0.0 - 6.4.0| None
Enterprise Manager| 3.0.0 - 3.1.1
2.1.0 - 2.3.0| None| Configuration utility
FirePass| None| 7.0.0
6.0.0 - 6.1.0| None
BIG-IQ Cloud| None| 4.0.0 - 4.3.0| None
BIG-IQ Device| None| 4.2.0 - 4.3.0| None
BIG-IQ Security| None| 4.0.0 - 4.3.0| None

Note: The hotfixes listed in the Versions known to be not vulnerable column address all of the aforementioned vulnerabilities.

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

To mitigate this vulnerability, you can limit Configuration utility access to a trusted management network.

F5 would like to acknowledge Stefan Viehböck of SEC Consult Vulnerability Lab for bringing this issue to our attention, and for following the highest standards of responsible disclosure.