Note: Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to SOL4602: Overview of F5 security vulnerability response policy.
F5 products and versions that are not affected by this Security Advisory
F5 Product Development has determined the following products and versions are not subject to the vulnerability described in this security advisory:
F5 products and versions that are affected by this Security Advisory
F5 Product Development has determined the following products and versions are subject to the vulnerability described in this security advisory:
FirePass is not susceptible to this vulnerability, because the TRACE functionality in FirePass has been explicitly disabled.
BIG-IP and 3-DNS are vulnerable because they use Apache. Currently there is no way to disable HTTP TRACE on these products; however, F5 has determined that the risk is very low and, therefore, has chosen not to address this vulnerability.
For this vulnerability to be a security risk for BIG-IP and 3-DNS, the workstation or browser in question would have to be authenticated to the BIG-IP Administration Web Server and that same workstation or browser would then have to visit a web page, of which the attacker would have to know of in advance. The browser would then have to access a page, crafted by the attacker, which would cause the browser to perform an HTTP TRACE against the vulnerable F5 product. This is an extremely unlikely scenario, so the risk is very low.
If you are concerned that this vulnerability may affect the servers that BIG-IP is load balancing, you can address this issue by creating a rule to discard the http_method of TRACE. For information about creating rules, refer to the Reference Guide for the product you are running.
It is also important that you always use the following precautions to minimize exposure to administrative access, which will exponentially decrease the possibility that an F5 product will be compromised:
F5 Product Development tracked this issue as CR29422, CR29885, and CR32144 and it was fixed in BIG-IP and 3-DNS version 4.5.10 of the 4.5 software branch and version 4.6.2 of the 4.6 software branch. For information about upgrading, refer to the BIG-IP or 3-DNS release notes.