Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.F5 products and versions that have been evaluated for this Security Advisory
Product | Affected | Not Affected |
---|---|---|
BIG-IP LTM | 9.0.0 - 9.4.8 | 10.x |
11.x | ||
BIG-IP GTM | 9.2.2 - 9.4.8 | 10.x |
11.x | ||
BIG-IP ASM | 9.2.0 - 9.4.8 | 10.x |
11.x | ||
BIG-IP Link Controller | 9.2.2 - 9.4.8 | 10.x |
11.x | ||
BIG-IP WebAccelerator | 9.4.0 - 9.4.8 | 10.x |
11.x | ||
BIG-IP PSM | 9.4.5 - 9.4.8 | 10.x |
11.x | ||
BIG-IP WAN Optimization | None | 10.x |
11.x | ||
BIG-IP APM | None | 10.x |
11.x | ||
BIG-IP Edge Gateway | None | 10.x |
11.x | ||
BIG-IP Analytics | None | 11.x |
BIG-IP AFM | None | 11.x |
BIG-IP PEM | None | 11.x |
FirePass | None | 5.x |
6.x | ||
7.x | ||
Enterprise Manager | 1.0.0 - 1.4.1 | 1.6.0 - 1.8.0 |
2.x | ||
3.x | ||
ARX | None | 2.x |
3.x | ||
4.x | ||
5.x | ||
6.x | ||
Multiple cross-site scripting (XSS) vulnerabilities in the search function of the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, allow remote attackers to inject arbitrary web script or HTML through a search string parameter. | ||
The vulnerability is only available to authenticated users. Theoretically, a malicious site could use another tab in an admin user’s browser to hit a list URL and cause the admin user’s Configuration utility to render malicious JavaScript in the admin user’s browser. The results are not saved beyond the user’s browser. | ||
For more Information, refer to the following two locations: |
For information about the F5 hotfix policy, refer to K4918: Overview of F5 critical issue hotfix policy.
For information about managing F5 product hotfixes, refer to K6845: Managing F5 product hotfixes.
Workaround
To prevent a malicious site from executing this vulnerability, refrain from using a browser for more than one website when using the BIG-IP Configuration utility. Also, ensure that you close the browser after completing BIG-IP administration tasks.
F5 would like to acknowledge Marcin Kozlowski for his efforts in identifying this issue, and providing F5 with the initial external notification.