SSL Intercept iApp HTTP Explicit Proxy vulnerability CVE-2017-0305

2017-04-0522:46:00

support.f5.com

0.054 Low

EPSS

Percentile

93.2%

JSON

F5 Product Development has assigned ID 648826 (SSL Intercept iApp) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H53244431 on the Diagnostics >Identified>High screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product	Versions known to be vulnerable	Versions known to be not vulnerable	Severity	Vulnerable component or feature
SSL Intercept iApp	1.5.0 - 1.5.71	1.5.8	Critical	TMM
BIG-IP LTM	None	13.0.0
12.0.0 - 12.1.2
11.4.0 - 11.6.1
11.2.1	Not vulnerable	None
BIG-IP AAM	None	13.0.0
12.0.0 - 12.1.2
11.4.0 - 11.6.1	Not vulnerable	None
BIG-IP AFM	None	13.0.0
12.0.0 - 12.1.2
11.4.0 - 11.6.1	Not vulnerable	None
BIG-IP Analytics	None	13.0.0
12.0.0 - 12.1.2
11.4.0 - 11.6.1
11.2.1	Not vulnerable	None
BIG-IP APM	None	13.0.0
12.0.0 - 12.1.2
11.4.0 - 11.6.1
11.2.1	Not vulnerable	None
BIG-IP ASM	None	13.0.0
12.0.0 - 12.1.2
11.4.0 - 11.6.1
11.2.1	Not vulnerable	None
BIG-IP DNS	None	13.0.0
12.0.0 - 12.1.2	Not vulnerable	None
BIG-IP Edge Gateway	None	11.2.1	Not vulnerable	None
BIG-IP GTM	None	11.4.0 - 11.6.1
11.2.1	Not vulnerable	None
BIG-IP Link Controller	None	13.0.0
12.0.0 - 12.1.2
11.4.0 - 11.6.1
11.2.1	Not vulnerable	None
BIG-IP PEM	None	13.0.0
12.0.0 - 12.1.2
11.4.0 - 11.6.1	Not vulnerable	None
BIG-IP PSM	None	11.4.0 - 11.4.1	Not vulnerable	None
BIG-IP WebAccelerator	None	11.2.1	Not vulnerable	None
BIG-IP WebSafe	None	13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1	Not vulnerable	None
ARX	None	6.2.0 - 6.4.0	Not vulnerable	None
Enterprise Manager	None	3.1.1	Not vulnerable	None
BIG-IQ Cloud	None	4.0.0 - 4.5.0	Not vulnerable	None
BIG-IQ Device	None	4.2.0 - 4.5.0	Not vulnerable	None
BIG-IQ Security	None	4.0.0 - 4.5.0	Not vulnerable	None
BIG-IQ ADC	None	4.5.0	Not vulnerable	None
BIG-IQ Centralized Management	None	5.0.0 - 5.1.0
4.6.0	Not vulnerable	None
BIG-IQ Cloud and Orchestration	None	1.0.0	Not vulnerable	None
F5 iWorkflow	None	2.0.0 - 2.1.0	Not vulnerable	None
LineRate	None	2.5.0 - 2.6.2	Not vulnerable	None
Traffix SDC	None	5.0.0 - 5.1.0
4.0.0 - 4.4.0	Not vulnerable	None

1SSL Intercept iApp 1.5.0 - 1.5.7 is vulnerable when deployed using the Explicit Proxy feature with the SNAT Automap option for egress traffic. The SNAT Automap feature is not configured by default and is not a recommended configuration for this deployment.

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

Mitigation

SSL Intercept iApp 1.5.0 - 1.5.7

For SSL Intercept iApp 1.5.0 - 1.5.7, you can mitigate this vulnerability by disabling the Explicit Proxy feature, or by disabling the SNAT Automap option. (If you choose to disable the SNAT Automap option, you can instead use the SNAT Pool option and define SNAT addresses that are appropriate for your environment).

To eliminate this vulnerability for SSL Intercept iApp 1.5.0 - 1.5.7, you can upgrade the SSL Intercept iApp template to SSL Intercept iApp 1.5.8. To do so, perform the following procedures:

Downloading and importing SSL Intercept iApp 1.5.8

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

Open a web browser and go to downloads.f5.com.
Click Find a Download, and in theF5 Product Familycolumn under theSecuritysection, clickSSL Orchestrator.
SelectBIG-IP version 12.1.0 from the list, and clickSSL Orchestrator.
Accept the End User License agreement, and download the iApp zip file to a location accessible from your BIG-IP system.
Extract (unzip) the f5.ssl_intercept_svc_chain.v1.5.8 file.
Log in to the BIG-IP Configuration utility.
On the Main tab, expandiApp, and clickTemplates.
Click Import.
Select the Overwrite Existing Templates box.
Click Browse, and browse to the location where you saved the iApp file.
Click Upload.

Upgrading the Application Service to the current version of the template

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

From the Main tab of the BIG-IP Configuration utility, expand iApp and clickApplication Services.
Click the name of your existing** f5.ssl_intercept_svc_chain** application service from the list.
On the menu bar, click Reconfigure.
At the top of the page, in the Templaterow, click Changeto the right of the list.
From the Templatelist, select f5.ssl_intercept_svc_chain.<latest version>.
Click Finished.

Performing a ConfigSync operation (for HA device groups)

If BIG-IP systems are configured in a device group, you must perform a configuration synchronization (ConfigSync) operation to synchronize the new iApp configuration to the device group members. To do so, perform the following steps from the BIG-IP device in which you installed the SSL Intercept iApp 1.5.8.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

Log in to the Configuration utility.
Navigate to Device Management >Overview.
In the Device Groups section, select the name of the device group.
In the Devicessection, select the BIG-IP system in which you installed the SSL Intercept iApp 1.5.8.
Click Sync Device to Group.
Click Sync.

0.054 Low

EPSS

Percentile

93.2%

JSON

Related for F5:K53244431