F5 Product Development has assigned ID 648826 (SSL Intercept iApp) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H53244431 on the Diagnostics >Identified>High screen.
To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:
Product | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature |
---|---|---|---|---|
SSL Intercept iApp | 1.5.0 - 1.5.71 | 1.5.8 | Critical | TMM |
BIG-IP LTM | None | 13.0.0 | ||
12.0.0 - 12.1.2 | ||||
11.4.0 - 11.6.1 | ||||
11.2.1 | Not vulnerable | None | ||
BIG-IP AAM | None | 13.0.0 | ||
12.0.0 - 12.1.2 | ||||
11.4.0 - 11.6.1 | Not vulnerable | None | ||
BIG-IP AFM | None | 13.0.0 | ||
12.0.0 - 12.1.2 | ||||
11.4.0 - 11.6.1 | Not vulnerable | None | ||
BIG-IP Analytics | None | 13.0.0 | ||
12.0.0 - 12.1.2 | ||||
11.4.0 - 11.6.1 | ||||
11.2.1 | Not vulnerable | None | ||
BIG-IP APM | None | 13.0.0 | ||
12.0.0 - 12.1.2 | ||||
11.4.0 - 11.6.1 | ||||
11.2.1 | Not vulnerable | None | ||
BIG-IP ASM | None | 13.0.0 | ||
12.0.0 - 12.1.2 | ||||
11.4.0 - 11.6.1 | ||||
11.2.1 | Not vulnerable | None | ||
BIG-IP DNS | None | 13.0.0 | ||
12.0.0 - 12.1.2 | Not vulnerable | None | ||
BIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None |
BIG-IP GTM | None | 11.4.0 - 11.6.1 | ||
11.2.1 | Not vulnerable | None | ||
BIG-IP Link Controller | None | 13.0.0 | ||
12.0.0 - 12.1.2 | ||||
11.4.0 - 11.6.1 | ||||
11.2.1 | Not vulnerable | None | ||
BIG-IP PEM | None | 13.0.0 | ||
12.0.0 - 12.1.2 | ||||
11.4.0 - 11.6.1 | Not vulnerable | None | ||
BIG-IP PSM | None | 11.4.0 - 11.4.1 | Not vulnerable | None |
BIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None |
BIG-IP WebSafe | None | 13.0.0 | ||
12.0.0 - 12.1.2 | ||||
11.6.0 - 11.6.1 | Not vulnerable | None | ||
ARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None |
Enterprise Manager | None | 3.1.1 | Not vulnerable | None |
BIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None |
BIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None |
BIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None |
BIG-IQ ADC | None | 4.5.0 | Not vulnerable | None |
BIG-IQ Centralized Management | None | 5.0.0 - 5.1.0 | ||
4.6.0 | Not vulnerable | None | ||
BIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None |
F5 iWorkflow | None | 2.0.0 - 2.1.0 | Not vulnerable | None |
LineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None |
Traffix SDC | None | 5.0.0 - 5.1.0 | ||
4.0.0 - 4.4.0 | Not vulnerable | None |
1SSL Intercept iApp 1.5.0 - 1.5.7 is vulnerable when deployed using the Explicit Proxy feature with the SNAT Automap option for egress traffic. The SNAT Automap feature is not configured by default and is not a recommended configuration for this deployment.
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
Mitigation
SSL Intercept iApp 1.5.0 - 1.5.7
For SSL Intercept iApp 1.5.0 - 1.5.7, you can mitigate this vulnerability by disabling the Explicit Proxy feature, or by disabling the SNAT Automap option. (If you choose to disable the SNAT Automap option, you can instead use the SNAT Pool option and define SNAT addresses that are appropriate for your environment).
To eliminate this vulnerability for SSL Intercept iApp 1.5.0 - 1.5.7, you can upgrade the SSL Intercept iApp template to SSL Intercept iApp 1.5.8. To do so, perform the following procedures:
Downloading and importing SSL Intercept iApp 1.5.8
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Upgrading the Application Service to the current version of the template
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Performing a ConfigSync operation (for HA device groups)
If BIG-IP systems are configured in a device group, you must perform a configuration synchronization (ConfigSync) operation to synchronize the new iApp configuration to the device group members. To do so, perform the following steps from the BIG-IP device in which you installed the SSL Intercept iApp 1.5.8.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.