5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.951 High
EPSS
Percentile
99.1%
Vulnerability Recommended Actions
If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.
BIG-IP
Configuration utility
The Configuration utility is not vulnerable by default. To be vulnerable, the system administrator has to modify the configuration to perform client-side certification authentication, such as, when you perform the procedures in either of the following articles:
To mitigate this Configuration utility vulnerability, do not modify the configuration to perform client side certification authentication. If that is not possible, F5 recommends that you permit access to the Configuration utility only over a secure network and limit login access to trusted users.
Client SSL profiles
Client SSL profiles are not vulnerable in a default configuration. The Client SSL profile is vulnerable if it has been modified to enable the Client Authentication option and is associated with a virtual server. To mitigate the vulnerability, do not enable the Client Authentication option on the Client SSL profile.
Server SSL profiles
Server SSL profiles are vulnerable in a default configuration, however, this vulnerability would require a backend server (pool member) to perform malicious actions as the BIG-IP system is acting as a client in this instance.
HTTPS Health monitor
The HTTPS health monitor is vulnerable by default. This vulnerability would require the BIG-IP system to monitor the health of a malicious server. To mitigate this vulnerability, limit traffic between the BIG-IP system and pool members to trusted traffic.
BIG-IP GTM
Both the gtmdand big3dprocesses are vulnerable in a default configuration. In addition, monitored BIG-IP systems whose big3dprocess was updated by an affected BIG-IP GTM system are also vulnerable. To mitigate this vulnerability, limit traffic between BIG-IP systems to trusted traffic.
Enterprise Manager
The big3dprocesses is vulnerable in a default configuration. In addition, monitored systems whose big3dprocess was updated by an affected BIG-IP GTM system are also vulnerable. To mitigate this vulnerability, limit traffic between BIG-IQ systems to trusted traffic.
BIG-IQ
The BIG-IQ configuration utility is not vulnerable by default. To be vulnerable, the system administrator has to modify the configuration to perform client-side certification authentication. To mitigate this Configuration utility vulnerability, do not modify the configuration to perform client side certification authentication.
Server SSL profiles are vulnerable in a default configuration; however, this vulnerability would require a backend server (pool member) to perform malicious actions, as the BIG-IP system is acting as a client in this instance.
Supplemental Information
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/13000/400/sol13444.html
support.f5.com/kb/en-us/solutions/public/13000/700/sol13703.html
support.f5.com/kb/en-us/solutions/public/15000/100/sol15106.html
support.f5.com/kb/en-us/solutions/public/17000/300/sol17329.html
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html