For more Information, refer to the following two locations:
F5 Product DevelopmentÂ tracked this issue as CR113089 and CR90703 and it was fixed in BIG-IP 10.0.0 and Enterprise Manager 1.6.0.Â For information about upgrading, refer to the BIG-IP LTM, GTM, Link Controller, ASM, WebAccelerator, or Enterprise Manager release notes.
F5 Product DevelopmentÂ also tracked this issue as CR90703 and it wasÂ fixed for Firefox browser clientsÂ in BIG-IP 9.4.4. However, the Internet Explorer browser was still vulnerable. For information about upgrading, refer to the BIG-IP LTM, GTM, Link Controller, ASM, or WebAccelerator release notes.
Additionally, this issue was fixed for Firefox browser clientsÂ in Hotfix-BIG-IP-9.3.1-HF-2 issued for BIG-IP 9.3.1. You may download this hotfix or later versions of the hotfix from the F5 Downloads site.
To view a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.
For information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.
For information about managing F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.
To prevent a malicious site from executing this vulnerability, refrain from using a browser for more than one website when using the BIG-IP Configuration utility. Also, ensure that you close the browser after completing BIG-IP administration tasks.Â
F5 would like to acknowledge Marcin Kozlowski for his efforts in identifying this issue, and providing F5 with the initial external notification.