SOL00032124 - BIG-IP last hop kernel module vulnerability CVE-2015-5516

2016-01-14T00:00:00
ID SOL00032124
Type f5
Reporter f5
Modified 2016-08-30T00:00:00

Description

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

To determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to SOL21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems.

Mitigating this vulnerability

To mitigate this vulnerability, you should consider the following recommendations:

  • Permit management access to F5 products only over a secure network, and limit shell access to only trusted users. For more information about securing access to BIG-IP/Enterprise Manager systems, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x) and SOL13092: Overview of securing access to the BIG-IP system.
  • Filter UDP traffic to the potentially impacted services by using an upstream firewall.
  • Configure the port lockdown feature to disallow unneeded UDP ports all self IP addresses. For more information, refer to SOL13250: Overview of port lockdown behavior (10.x - 11.x) or SOL17333: Overview of port lockdown behavior (12.x).

Supplemental Information

  • SOL9970: Subscribing to email notifications regarding F5 products
  • SOL9957: Creating a custom RSS feed to view new and updated documents
  • SOL4918: Overview of the F5 critical issue hotfix policy
  • SOL167: Downloading software and firmware from F5
  • SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)