logo
DATABASE RESOURCES PRICING ABOUT US

ImageMagick vulnerability CVE-2016-3717

Description

F5 Product Development has assigned ID 591908 (BIG-IP), ID 591863 (BIG-IQ), and ID 591865 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H29154575 on the **Diagnostics** > **Identified** > **Medium** screen. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature ---|---|---|---|--- BIG-IP LTM | None | 13.0.0 12.0.0 - 12.1.2 11.0.0 - 11.6.1 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP AAM | 12.0.0 - 12.1.0 11.4.0 - 11.6.1 | 13.0.0 12.1.1 - 12.1.2 12.1.0 HF1 12.0.0 HF3 11.6.1 HF1 11.5.4 HF2 | Medium | WebAcceleration profile configured with Image Optimization BIG-IP AFM | None | 13.0.0 12.0.0 - 12.1.2 11.3.0 - 11.6.1 | Not vulnerable | None BIG-IP Analytics | None | 13.0.0 12.0.0 - 12.1.2 11.0.0 - 11.6.1 | Not vulnerable | None BIG-IP APM | None | 13.0.0 12.0.0 - 12.1.2 11.0.0 - 11.6.1 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP ASM | None | 13.0.0 12.0.0 - 12.1.2 11.0.0 - 11.6.1 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP DNS | None | 13.0.0 12.0.0 - 12.1.1 | Not vulnerable | None BIG-IP Edge Gateway | 11.0.0 - 11.3.0 | 11.2.1 HF16 10.1.0 - 10.2.4 | Medium | WebAcceleration profile configured with Image Optimization BIG-IP GTM | None | 11.0.0 - 11.6.1 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP Link Controller | None | 13.0.0 12.0.0 - 12.1.2 11.0.0 - 11.6.1 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP PEM | None | 13.0.0 12.0.0 - 12.1.2 11.3.0 - 11.6.1 | Not vulnerable | None BIG-IP PSM | None | 11.0.0 - 11.4.1 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP WebAccelerator | 11.0.0 - 11.3.0 | 11.2.1 HF16 10.1.0 - 10.2.4 | Medium | WebAcceleration profile configured with Image Optimization BIG-IP WOM | None | 11.0.0 - 11.3.0 10.1.0 - 10.2.4 | Not vulnerable | None ARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None Enterprise Manager | 3.0.0 - 3.1.1 | None | Low | ImageMagick FirePass | None | 7.0.0 6.0.0 - 6.1.0 | Not vulnerable | None BIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | ImageMagick BIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | ImageMagick BIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | ImageMagick BIG-IQ ADC | 4.5.0 | None | Low | ImageMagick BIG-IQ Centralized Management | 5.0.0 4.6.0 | None | Low | ImageMagick BIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | ImageMagick LineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None F5 WebSafe | None | 1.0.0 | Not vulnerable | None Traffix SDC | None | 4.0.0 - 4.4.0 3.3.2 - 3.5.1 | Not vulnerable | None If you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. BIG-IP/BIG-IQ/Enterprise Manager To mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure: **Impact of action:** Performing the following procedure should not have a negative impact on your system. 1. Log in to the command line of the affected system. 2. Back up the **ImageMagick **global policy file by typing the following command: cp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.sol29154575 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**. 4. Include the vulnerable **ImageMagick **coders in the **policymap** stanza. For example, if the **LABEL** coder is vulnerable, you would include the following line in the **policymap** stanza: <policy domain="coder" rights="none" pattern="LABEL" /> Since the vulnerable coder listed in CVE-2016-3717 is LABEL, the modified **policymap** stanza should look similar to the following example: <policymap> <policy domain="coder" rights="none" pattern="LABEL" /> </policymap> 5. Save the changes and exit the text editor. * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>) * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>) * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>) * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>) * [K03151140: ImageMagick vulnerability CVE-2016-3714](<https://support.f5.com/csp/article/K03151140>) * [K10550253: ImageMagick vulnerability CVE-2016-3715](<https://support.f5.com/csp/article/K10550253>) * [K25102203: ImageMagick vulnerability CVE-2016-3716](<https://support.f5.com/csp/article/K25102203>) * [K61974123: ImageMagick vulnerability CVE-2016-3718](<https://support.f5.com/csp/article/K61974123>) * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide **Note**: For information about how to locate F5 product guides, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).


Related