F5 Product Development is evaluating this vulnerability. F5 Product Development has assigned ID 784689 (BIG-IP), ID 786105 (BIG-IQ), ID 787417 (F5 iWorkflow), ID 787401 (Enterprise Manager), and JIRA IDs CPF-25088 and CPF-25089 (Traffix) to this vulnerability.
To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning.
Product | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature
BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) | 15.x | 15.0.0 | None2 | Low | 3.8 | Intel CPU / Linux Kernel on the following platforms:
BIG-IP i15x00 series
14.x | 14.0.0 - 14.1.0 | None2
13.x | 13.0.0 - 13.1.1 | None2
12.x | 12.0.0 - 12.1.4 | None2
11.x | 11.6.0 - 11.6.4 | None2
Enterprise Manager | 3.x | 3.1.1 | None | Low | 3.8 | Intel CPU / Linux Kernel on the following platforms:
5.x | 5.0.0 - 5.4.0 | None
F5 iWorkflow | 2.x | 2.3.0 | None | Low | 3.8 | Intel CPU (see affected CPUs)
Traffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Low | 3.8 | Intel CPU (see affected CPUs)
1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.
2Updated Microcode has been made available from Intel. F5 does not plan to release an official fix for this issue that is based on Intel's microcode updates. The rationale for this decision is based on significant performance degradation seen when enabling Intel's microcode fixes in our platforms. During testing of the microcode fix, F5 has observed from 10% to over 50% performance degradation for many workloads.
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
The MDS vulnerabilities require that an attacker can provide and run binary code on the BIG-IP platform. Only users with Administrator, Resource Administrator, Manager, and iRules Manager privileges are able to exploit the MDS vulnerability. F5 recommends that you restrict these roles to trusted users.
Exploiting this vulnerability requires two processes to share the same L1 and L2 cache. To prevent exploitation of this vulnerability between guests in a multi-tenant vCMP environment, ensure that each guest is allocated a minimum of two cores.
To completely mitigate MDS requires an Intel microcode update and associated Linux kernel patches. If a kernel and microcode update is unavailable, the only way to completely mitigate the MDS vulnerability is to disable SMT. This action will cause performance degradation in most workloads. F5 recommends customers evaluate if mitigation is required in their environment, taking into account the performance impact. Currently, F5 is working on an integration strategy for full mitigation by conducting an extensive test campaign to characterize the impact of the fixes on system performance and stability, and understanding potential issues. F5 will update this article with details of the fixes as they become available.
Mitigation is not required if user space applications are from a trusted source and do not execute untrusted code that is supplied externally.