F5 Product Development has determined the likelihood of exploitation is low for the cross-site scripting (XSS) vulnerability disclosed in CVE-2007-5000. Exploiting this vulnerability would require an administrator of an F5 device to interact with a web page crafted by an attacker. Possible attacks could include recovering that administrator or operator's password to the BIG-IP.
Note: The BIG-IP system ships with the mod_imap module, however the BIG-IP Configuration utility does not use or rely on mod_imap.
Information about this advisory is available at the following location:
F5 Product Development tracked this issue as CR59618 and it was fixed in BIG-IP 9.3.0 and 9.4.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, Link Controller, and WebAccelerator release notes.
If you are using a vulnerable version and upgrading is not an immediate option, you can disable mod_imap by performing the following procedure:
cd /config/httpd/conf 3. Open the httpd.conf file with a file editor and comment out the mod_imap entry by inserting # at the beginning of the following line:
bigstart restart httpd