logo
DATABASE RESOURCES PRICING ABOUT US

Apache HTTPD vulnerability CVE-2017-9798

Description

F5 Product Development has assigned ID 684033 (BIG-IP) to this vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. Product | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature ---|---|---|---|--- BIG-IP LTM | None | 13.0.0 - 13.0.1 12.0.0 - 12.1.2 11.4.1 - 11.6.1 11.2.1 | Not vulnerable1 | None BIG-IP AAM | None | 13.0.0 - 13.0.1 12.0.0 - 12.1.2 11.4.1 - 11.6.1 | Not vulnerable1 | None BIG-IP AFM | None | 13.0.0 - 13.0.1 12.0.0 - 12.1.2 11.4.1 - 11.6.1 | Not vulnerable1 | None BIG-IP Analytics | None | 13.0.0 - 13.0.1 12.0.0 - 12.1.2 11.4.1 - 11.6.1 11.2.1 | Not vulnerable1 | None BIG-IP APM | None | 13.0.0 - 13.0.1 12.0.0 - 12.1.2 11.4.1 - 11.6.1 11.2.1 | Not vulnerable1 | None BIG-IP ASM | None | 13.0.0 - 13.0.1 12.0.0 - 12.1.2 11.4.1 - 11.6.1 11.2.1 | Not vulnerable1 | None BIG-IP DNS | None | 13.0.0 - 13.0.1 12.0.0 - 12.1.2 | Not vulnerable1 | None BIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable1 | None BIG-IP GTM | None | 11.4.1 - 11.6.1 11.2.1 | Not vulnerable1 | None BIG-IP Link Controller | None | 13.0.0 - 13.0.1 12.0.0 - 12.1.2 11.4.1 - 11.6.1 11.2.1 | Not vulnerable1 | None BIG-IP PEM | None | 13.0.0 - 13.0.1 12.0.0 - 12.1.2 11.4.1 - 11.6.1 | Not vulnerable1 | None BIG-IP PSM | None | 11.4.1 | Not vulnerable1 | None BIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable1 | None BIG-IP WebSafe | None | 13.0.0 - 13.0.1 12.0.0 - 12.1.2 11.6.0 - 11.6.1 | Not vulnerable1 | None ARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None Enterprise Manager | None | 3.1.1 | Not vulnerable | None BIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None BIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None BIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None BIG-IQ ADC | None | 4.5.0 | Not vulnerable | None BIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 4.6.0 | Not vulnerable | None BIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None F5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable1 | None LineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None Traffix SDC | None | 5.0.0 - 5.1.0 4.0.0 - 4.4.0 | Not vulnerable | None 1The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations. Additionally, F5 iWorkflow does not run Apache HTTPD. None Configuring the BIG-IP system to protect vulnerable back-end Apache servers While the BIG-IP system is not vulnerable, the BIG-IP system will proxy exploits to vulnerable Apache servers behind the BIG-IP system. You can protect these servers by disallowing the **OPTIONS** method in all requests. To do so, you can apply any of the following methods to each BIG-IP virtual server: **Impact of action**: Requests using the **OPTIONS** method will be blocked. * You can use the **HTTP::method** iRules command to check for the **OPTIONS** method and then perform actions such as returning an HTTP 501 response code to the client. For more information, refer to the following iRules snippet: when HTTP_REQUEST { if { [HTTP::method] equals "OPTIONS" } { HTTP::respond 501 } else { # additional logic if needed. } } * The HTTP profile allows you to limit the permitted HTTP methods in the **Known Methods** setting (under the **Enforcement** section). You can configure the affected HTTP profile with the value **Reject** for the **Unknown Method** setting and delete the value **OPTIONS** from the **Known Methods** setting. * For the BIG-IP PSM system, by default, the HTTP Security profile does not allow the HTTP OPTIONS method. You can associate the default HTTP Security profile to the affected virtual servers. * For the BIG-IP ASM system, by default, the ASM security policy does not allow the HTTP OPTIONS method. You must ensure that the HTTP OPTIONS method is not configured in the **Allowed Methods** setting on the **Security** > **Application Security** > **Headers** > **Methods** page. The BIG-IP ASM system will log an Illegal Method violation when it detects HTTP methods that are not listed in the **Allowed Methods** setting. For more information, refer to [K12312: Overview of BIG-IP ASM Illegal Method violations](<https://support.f5.com/csp/article/K12312>). * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>) * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>) * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>) * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)


Related