F5F5:K8280K8280 : Cross-site scripting vulnerabilities in BIG-IP Configuration utility CVE-2008-0265
Security Advisory Description
Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.F5 products and versions that have been evaluated for this Security Advisory
| Product | Affected | Not Affected |
|---|---|---|
| BIG-IP LTM | 9.0.0 - 9.4.8 | 10.x |
| 11.x | ||
| BIG-IP GTM | 9.2.2 - 9.4.8 | 10.x |
| 11.x | ||
| BIG-IP ASM | 9.2.0 - 9.4.8 | 10.x |
| 11.x | ||
| BIG-IP Link Controller | 9.2.2 - 9.4.8 | 10.x |
| 11.x | ||
| BIG-IP WebAccelerator | 9.4.0 - 9.4.8 | 10.x |
| 11.x | ||
| BIG-IP PSM | 9.4.5 - 9.4.8 | 10.x |
| 11.x | ||
| BIG-IP WAN Optimization | None | 10.x |
| 11.x | ||
| BIG-IP APM | None | 10.x |
| 11.x | ||
| BIG-IP Edge Gateway | None | 10.x |
| 11.x | ||
| BIG-IP Analytics | None | 11.x |
| BIG-IP AFM | None | 11.x |
| BIG-IP PEM | None | 11.x |
| FirePass | None | 5.x |
| 6.x | ||
| 7.x | ||
| Enterprise Manager | 1.0.0 - 1.4.1 | 1.6.0 - 1.8.0 |
| 2.x | ||
| 3.x | ||
| ARX | None | 2.x |
| 3.x | ||
| 4.x | ||
| 5.x | ||
| 6.x | ||
| Multiple cross-site scripting (XSS) vulnerabilities in the search function of the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, allow remote attackers to inject arbitrary web script or HTML through a search string parameter. | ||
| The vulnerability is only available to authenticated users. Theoretically, a malicious site could use another tab in an admin user’s browser to hit a list URL and cause the admin user’s Configuration utility to render malicious JavaScript in the admin user’s browser. The results are not saved beyond the user’s browser. | ||
| For more Information, refer to the following two locations: |
- <http://www.securityfocus.com/bid/27272/>
- <https://vulners.com/cve/CVE-2008-0265>
- <http://secunia.com/advisories/28505>
F5 Product Development tracked this issue as CR113089 and CR90703 and it was fixed in BIG-IP 10.0.0 and Enterprise Manager 1.6.0. For information about upgrading, refer to the BIG-IP LTM, GTM, Link Controller, ASM, WebAccelerator, or Enterprise Manager release notes.
F5 Product Development also tracked this issue as CR90703 and it was fixed for Firefox browser clients in BIG-IP 9.4.4. However, the Internet Explorer browser was still vulnerable. For information about upgrading, refer to the BIG-IP LTM, GTM, Link Controller, ASM, or WebAccelerator release notes.
Additionally, this issue was fixed for Firefox browser clients in Hotfix-BIG-IP-9.3.1-HF-2 issued for BIG-IP 9.3.1. You may download this hotfix or later versions of the hotfix from the F5 Downloads site.
To view a list of the latest available hotfixes, refer to K9502: BIG-IP hotfix matrix.
For information about the F5 hotfix policy, refer to K4918: Overview of F5 critical issue hotfix policy.
For information about managing F5 product hotfixes, refer to K6845: Managing F5 product hotfixes.
Workaround
To prevent a malicious site from executing this vulnerability, refrain from using a browser for more than one website when using the BIG-IP Configuration utility. Also, ensure that you close the browser after completing BIG-IP administration tasks.
Acknowledgements
F5 would like to acknowledge Marcin Kozlowski for his efforts in identifying this issue, and providing F5 with the initial external notification.
Related
