Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
F5 responds to vulnerabilities in accordance with the Severityvalues published in the previous table. The Severityvalues and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.
Identifying log messages relevant to the vulnerability
The primary means of identifying the vulnerability is by locating the relevant log messages in the** /var/log/ltm** file. For the HSB lockup to occur, the system must be operating in Syncookie mode. Therefore, you should look for two logs in proximity.
warning tmm[PID]: 01010038:4: Syncookie threshold 1993 exceeded, virtual = 10.11.12.13:443
Note: The actual threshold value will vary.
crit tmm[PID]: 01230111:2: Interface 0.1: HSB DMA lockup on transmitter failure.
Note: The lockup by itself is not necessarily indicative of this vulnerability, as other issues may produce the same log message. However, if both the platform and software version are within the vulnerable set as indicated above, presence of the error messages may indicate exposure to the vulnerability.
Mitigating the vulnerability
F5 strongly encourages you to upgrade to a fixed release to mitigate this issue. However, if you are unable to upgrade at this time, contact F5 Technical Support to obtain an iRule mitigation.
Supplemental Information
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html