K76930736 : Libpng vulnerability CVE-2015-8126

Security Advisory Description

Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. (CVE-2015-8126)
Impact
All versions of the BIG-IP system include a vulnerable version of libpng; however, only BIG-IP 10.1.0 through 11.3.0 are exposed locally. The affected versions are rated as a Low risk for this issue. In BIG-IP APM 11.4.0 and later, this exploitation requires an APM access policy configuration which uses a trusted Citrix resource. Successful exploitation of this vulnerability requires a trusted, configured back-end server to intentionally provide a malicious source image file.
In BIG-IP APM 11.4.0 and later, with the specific deployment scenario, the impact of this vulnerability is a minimal disruption of service for the set of client connections that use VDI. There is no impact to other services, such as SSL VPN and standard virtual server traffic. Exploitation of this issue does not result in a failover event on the BIG-IP system.
Note: The back-end server would have already been trusted due to requirements for configuration and setup of this deployment model.