SOL14410 - Multiple MySQL vulnerabilities

Vulnerability Recommended Actions To eliminate these vulnerabilities, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. For Enterprise Manager, if you are unable to upgrade to 3.1.0, you can mitigate the remote vulnerability by configurin...

SOL14371 - Apache Axis vulnerability CVE-2012-5784

Vulnerability Recommended Actions If you are using iControl Assembly 11.2 and earlier, the Apache axis.jar file is vulnerable to CVE-2012-5784. To eliminate this vulnerability, upgrade to iControl Assembly 11.3. To do so, download the latest version of the iControl Assembly package at . Note: A...

SOL14382 - OpenSSH vulnerability CVE-2008-3259

Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy...

SOL14386 - BIND vulnerability CVE-2013-2266

Vulnerability Recommended Actions To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the table. Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to...

SOL14334 - BIG-IP Analytics generates predictable session cookies

Recommended action To mitigate this vulnerability, you can use an iRule to encrypt the BIG-IP Analytics session cookie sent to the client. To do so, perform the following procedure: Impact of procedure: Performing the following procedure should not have a negative impact on your system. 1. Log in...

SOL14316 - BIND vulnerability CVE-2012-3817

Vulnerability Recommended Actions To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS...

SOL14317 - OpenSSH J-PAKE vulnerability CVE-2010-4478

Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy...

SOL14261 - OpenSSL OCSP vulnerability CVE-2013-0166

Recommended action To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. Supplemental Information Common Vulnerabilities and Exposures CVE-2013-0166 Note: The previous link takes you to a resource outside of...

SOL14228 - OpenSSH vulnerability CVE-2007-2243

Recommended Action None Supplemental Information CVE-2007-2243 SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...

SOL14229 - OpenSSH vulnerability CVE-2007-2768

Recommended action None Supplemental Information Common Vulnerabilities and Exposures CVE-2007-2243 SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents. SOL4602: Overview of the F5 security vulnerability response...

SOL14236 - OpenSSL vulnerability CVE-2012-2686

Recommended action None Supplemental Information Common Vulnerabilities and Exposures CVE-2012-2686 Note: This link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge. SOL9970: Subscribing to email notifications regarding F5 produc...

SOL14204 - BIND vulnerability CVE-2011-4313

F5 Product Development has determined that these Enterprise Manager versions use a vulnerable version of BIND. However, the vulnerable code is not used by default on these Enterprise Manager systems. These products are only vulnerable if BIND was manually configured and enabled. Recommended actio...

SOL14201 - BIND denial-of-service attack CVE-2012-5166/CVE-2012-4244

Recommended Action To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. To mitigate this vulnerability, you can disable recursion of the DNS server. To do so, perform the following procedure: Impact of action...

SOL14190 - TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169

Vulnerability Recommended Actions BIG-IP FirePass Enterprise Manager ARX BIG-IP The following section describes affected BIG-IP components and how to protect those components from potential exploit. Mitigating the exploit for the MGMT interface and the Configuration utility The BIG-IP Configurati...

SOL14161 - OpenSSH vulnerability CVE-2007-4752

Recommended action None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy Note: The following link takes you to a...

SOL14154 - SQL injection vulnerability from an authenticated source CVE-2012-3000

Vulnerability Recommended Actions To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column. Acknowledgements F5 would like to acknowledge SEC Consult Vulnerability Lab for bringing this issue to our attention, and for following the...

SOL14138 - XML External Entity Injection (XXE) from authenticated source vulnerability CVE-2012-2997

Vulnerability Recommended Actions To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column. Acknowledgements F5 would like to acknowledge SEC Consult Vulnerability Lab for bringing this issue to our attention, and for following the...

CRIME vulnerability via the SPDY protocol CVE-2012-4930

The SPDY protocol 3, and earlier, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data. This allows man-in-the-middle attackers to obtain plain text HTTP headers by observing length differences during a series of guesses in which a string i...

SOL14059 - CRIME vulnerability via the SPDY protocol CVE-2012-4930

The SPDY protocol 3, and earlier, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data. This allows man-in-the-middle attackers to obtain plain text HTTP headers by observing length differences during a series of guesses in which a string i...

SOL14054 - CRIME vulnerability via TLS 1.2 protocol CVE-2012-4929

Vulnerability Recommended Actions To eliminate this vulnerability, perform one of the following actions: Upgrade to a software version that is listed in the Versions known to be Not Vulnerable column of the table. Upgrade your client browser to a non-vulnerable version. Supplemental Information...

SOL14046 - FirePass input validation vulnerability

Vulnerability Recommended Actions To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. F5 strongly recommends that you install HF-70-7 for FirePass 7.0.0 to address this vulnerability. Acknowledgements F5 wou...

SOL13993 - Cross-site URL redirection attack vulnerability CVE-2009-4017

Vulnerability Recommended Actions Upgrade FirePass to the latest hotfix. Acknowledgements F5 would like to acknowledge Aung Khant of YGN Ethical Hacker Group, Myanmar for bringing this issue to our attention, and for following the highest standards of responsible disclosure. Supplemental...

SOL13838 - XSS vulnerability CVE-2012-2975

Vulnerability Recommended Actions To eliminate this vulnerability, upgrade to a version or hotfix that is listed in the Versions known to be not vulnerable column in the previous table. Acknowledgements F5 would like to acknowledge Roger Wemyss with Dell SecureWorks for his efforts in identifying...

SOL13719 - Samba vulnerability CVE-2012-1182

Vulnerability Recommended Actions None Supplemental Information CVE-2012-1182 Note: The previous link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge. SOL9970: Subscribing to email notifications regarding F5 products SOL9957:...

SOL13660 - BIND vulnerability CVE-2012-1667

BIG-IP 9.4.8 HF6 contains a patch backported from BIND 9.6 to BIND 9.4. However, the BIND version string was not updated to indicate a change was made. Recommended Action To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the...

SOL13656 - FirePass SQL injection vulnerability

Recommended action To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. F5 strongly recommends that you install HF-601-9 for FirePass version 6.1.0 or HF-70-7 for FirePass version 7.0.0 to address this...

SOL13600 - SSH vulnerability CVE-2012-1493

Recommended Action If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version...

SOL13607 - Hosts may generate weak RSA keys under low entropy conditions

A recent study, linked in the Supplemental Information section, has revealed that when a system generates new RSA keys under low-entropy conditions, such as during the first system boot, the resulting keys may not be cryptographically strong. During its first boot, the BIG-IP system generates...

SOL13605 - FirePass sudo vulnerability - CVE-2012-2053

Recommended action F5 recommends that you upgrade to the latest FirePass hotfix to ensure that you have the latest security updates. Supplemental Information CERT advisory regarding CVE-2012-2053 SOL167: Downloading software and firmware from F5 SOL10322: FirePass hotfix matrix SOL3430: Installin...

SOL13598 - OpenSSL vulnerability CVE-2012-0884

The implementation of Cryptographic Message Syntax CMS and PKCS 7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data using a Million Message Attack MMA adaptive chosen ciphertext...

SOL13597 - OpenSSL vulnerability CVE-2012-1165

The mimeparamcmp function in crypto/asn1/asnmime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service NULL pointer dereference and application crash using a crafted S/MIME message; a different vulnerability than CVE-2006-7250...

SOL13588 - PHP vulnerability CVE-2011-4885

Recommended action BIG-IP To mitigate this vulnerability, expose the administrative interface only on trusted networks and limit login access to trusted users. FirePass For information about hotfix status, contact F5 Technical Support. Supplemental Information CVE-2011-4885 SOL9970: Subscribing t...

SOL13519 - Multiple PHP vulnerabilities

Vulnerability Recommended Actions To mitigate this vulnerability, expose the administrative interface only on trusted networks and limit login access to trusted users. Impact of action: None. Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957:...

SOL13518 - Multiple PHP vulnerabilities

Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents. SOL4602: Overview of the F5 security vulnerability response policy...

SOL13463 - FirePass SQL injection vulnerability - CVE-2012-1777

Recommended action To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. F5 strongly recommends installing FirePass HF-377712-1 to address this vulnerability. Supplemental Information CERT advisory regarding...

SOL13400 - SSL 3.0/TLS 1.0 BEAST vulnerability CVE-2011-3389 and TLS protocol vulnerability CVE-2012-1870

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, the...

SOL13432 - OpenSSL vulnerability CVE-2010-0433

Recommended action None Supplemental Information CVE-2010-0433 Note: This link will take you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS...

SOL13279 - PHP vulnerability CVE-2009-4017

Recommended Action None Supplemental Information Note: This link will take you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view n...

SOL13277 - Apache vulnerability CVE-2009-2412

Recommended action ARX To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column of the table. To mitigate this vulnerability, do not enable access to the ARX management API. Supplemental Information Note: The previous link takes you to...

SOL13275 - PHP vulnerability CVE-2009-3293

Recommended Action None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy...

SOL13233 - TMM vulnerability CVE-2013-6016

Vulnerability Recommended Actions To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS...

SOL13219 - DHCP Client vulnerability CVE-2011-0997

Recommended action To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. To mitigate this vulnerability, when configuring the AOM or SCCP for access over the network, you should use a static IP address and not...

SOL13231 - PHP vulnerability CVE-2009-2626

In PHP 5.3.0 and PHP 5.2.10 and earlier, the zendrestoreinientrycb function in zendini.c allows context-specific attackers to obtain sensitive information memory contents and causes PHP to fail by using the iniset function to declare a variable, and then using the inirestore function to restore t...

SOL13114 - Apache Range header vulnerability - CVE-2011-3192

The byte-range filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial-of-service memory and CPU consumption using a Range header that expresses multiple overlapping ranges. When this vulnerability is exploited, the httpd...

SOL13108 - TCP Packet Filtering Weakness - CERT VU # 464113

This security advisory describes a TCP vulnerability. Various vendors' TCP/IP implementations handle packets containing unusual flag combinations in different ways, which may lead to a violation of implicit or explicit security policies. For example, an attacker may be able to bypass network acce...

SOL12998 - OpenSSL vulnerability CVE-2011-1945

The elliptic curve cryptography ECC subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm ECDSA is used for the ECDHEECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine...

SOL12986 - BIND vulnerability CVE-2011-2464

Unspecified vulnerability in ISC BIND 9 9.6.x before 9.6-ESV-R4-P3, 9.7.x before 9.7.3-P3, and 9.8.x before 9.8.0-P4 allows remote attackers to cause a Denial of Service DoS named daemon crash by way of a crafted UPDATE request. Information about this advisory is available at the following...

SOL12985 - BIND vulnerability CVE-2011-1910

Off-by-one error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x before 9.8.0-P2, 9.4-ESV before 9.4-ESV-R4-P1, and 9.6-ESV before 9.6-ESV-R4-P1 allows remote DNS servers to cause a denial of service assertion failure and daemon exit via a negative response containing large RRSIG RRsets...

SOL12953 - A Cross-Site Scripting (XSS) vulnerability exists in the BIG-IP ASM Web Scraping feature

To determine if the BIG-IP ASM configuration contains any vulnerable security policies, check whether the policies configured on the system have the Web Scraping feature set to Block. To do so, open the Configuration utility and navigate to Application Security Policy List policyname Blocking...

SOL12853 - OpenSSL vulnerability CVE-2008-7270

F5 Product Development has determined that these specific product versions are not vulnerable to the OpenSSL session cache issue indicated by CVE-2008-7270. While these product versions may allow a client to change the ciphersuite on a subsequent connection, the system allows the client to change...