SOL9592 - bzip2 vulnerability CVE-2008-1372

Information about this advisory is available at the following location:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372&gt;

Note: This link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.

F5 Product Development tracked this issue as CR114442 and CR107644 for BIG-IP LTM, GTM, ASM, Link Controller, WebAccelerator, PSM, FirePass, and Enterprise Manager, and it was fixed in BIG-IP 9.4.7 and 10.0.0, and in Enterprise Manager 1.7. For information about upgrading, refer to the BIG-IP LTM, ASM, GTM, Link Controller, PSM, WebAccelerator, or Enterprise Manager release notes.

Workaround

The affected versions of BIG-IP LTM, GTM, ASM, Link Controller, WebAccelerator, PSM, and Enterprise Manager have the bzip2 package installed. However, the package is not used and can be safely removed by typing the following command:

rpm -e bzip2

Note: Thebzip2 package cannot be safely removed from the affected versions of FirePass and WANJet products.

The FirePass controller is a closed system with no administrative access to the underlying operating system. Bzip2 is used exclusively for compressing logs, and it poses a low risk of being compromised by this vulnerability.