SOL9592 - bzip2 vulnerability CVE-2008-1372

2009-01-20T00:00:00
ID SOL9592
Type f5
Reporter f5
Modified 2016-07-25T00:00:00

Description

Information about this advisory is available at the following location:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372>

Note: This link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.

F5 Product Development tracked this issue as CR114442 and CR107644 for BIG-IP LTM, GTM, ASM, Link Controller, WebAccelerator, PSM, FirePass, and Enterprise Manager, and it was fixed in BIG-IP 9.4.7 and 10.0.0, and in Enterprise Manager 1.7. For information about upgrading, refer to the BIG-IP LTM, ASM, GTM, Link Controller, PSM, WebAccelerator, or Enterprise Manager release notes.

Workaround

The affected versions of BIG-IP LTM, GTM, ASM, Link Controller, WebAccelerator, PSM, and Enterprise Manager have the bzip2 package installed. However, the package is not used and can be safely removed by typing the following command:

rpm -e bzip2

Note: The bzip2 package cannot be safely removed from the affected versions of FirePass and WANJet products.

The FirePass controller is a closed system with no administrative access to the underlying operating system. Bzip2 is used exclusively for compressing logs, and it poses a low risk of being compromised by this vulnerability.