4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.086 Low
EPSS
Percentile
93.8%
Information about this advisory is available at the following location:
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372>
Note: This link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.
F5 Product Development tracked this issue as CR114442 and CR107644 for BIG-IP LTM, GTM, ASM, Link Controller, WebAccelerator, PSM, FirePass, and Enterprise Manager, and it was fixed in BIG-IP 9.4.7 and 10.0.0, and in Enterprise Manager 1.7. For information about upgrading, refer to the BIG-IP LTM, ASM, GTM, Link Controller, PSM, WebAccelerator, or Enterprise Manager release notes.
Workaround
The affected versions of BIG-IP LTM, GTM, ASM, Link Controller, WebAccelerator, PSM, and Enterprise Manager have the bzip2 package installed. However, the package is not used and can be safely removed by typing the following command:
rpm -e bzip2
Note: Thebzip2 package cannot be safely removed from the affected versions of FirePass and WANJet products.
The FirePass controller is a closed system with no administrative access to the underlying operating system. Bzip2 is used exclusively for compressing logs, and it poses a low risk of being compromised by this vulnerability.