%{session.server.network.name}

### Security Advisory Description The access policy logon page (logon.inc) in F5 BIG-IP APM 11.1.0 through 11.2.1 allows remote attackers to conduct clickjacking attacks via unspecified vectors. (CVE-2013-5975) Impact Clickjacking protection in the BIG-IP APM access policy logon page may be insufficient. ### Security Advisory Status F5 Product Development tracked this vulnerability as ID 395751, and has evaluated the currently-supported releases for potential vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. Product| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature ---|---|---|--- BIG-IP LTM| None| 9.0.0 - 9.6.1 10.0.0 - 10.2.4 11.0.0 - 11.4.0| None BIG-IP AAM| None| 11.4.0| None BIG-IP AFM| None| 11.3.0 - 11.4.0| None BIG-IP Analytics| None| 11.0.0 - 11.4.0| None BIG-IP APM| 11.1.0 - 11.2.1| 10.1.0 - 10.2.4 11.3.0 - 11.4.0| Access Policy logon page BIG-IP ASM| None| 9.2.0 - 9.4.8 10.0.0 - 10.2.4 11.0.0 - 11.4.0| None BIG-IP Edge Gateway| None| 10.1.0 - 10.2.4 11.0.0 - 11.4.0| None BIG-IP GTM| None| 9.2.2 - 9.4.8 10.0.0 - 10.2.4 11.0.0 - 11.4.0| None BIG-IP Link Controller| None| 9.2.2 - 9.4.8 10.0.0 - 10.2.4 11.0.0 - 11.4.0| None BIG-IP PEM| None| 11.3.0 - 11.4.0| None BIG-IP PSM| None| 9.4.5 - 9.4.8 10.0.0 - 10.2.4 11.0.0 - 11.4.0| None BIG-IP WebAccelerator| None| 9.4.0 - 9.4.8 10.0.0 - 10.2.4 11.0.0 - 11.3.0| None BIG-IP WOM| None| 10.0.0 - 10.2.4 11.0.0 - 11.3.0| None ARX| None| 5.0.0 - 5.3.1 6.0.0 - 6.4.0| None Enterprise Manager| None| 1.6.0 - 1.8.0 2.0.0 - 2.3.0 3.0.0 - 3.1.1| None FirePass| None| 6.0.0 - 6.1.0 7.0.0| None BIG-IQ Cloud| None| 4.0.0 - 4.1.0| None BIG-IQ Security| None| 4.0.0 - 4.1.0| None **Note** : This issue has been addressed in BIG-IP APM 11.3.0 and later through the use of the x-frame-options header in the Access Policy pages. Modifying a BIG-IP APM 11.3.0 or later system dB variable settings for **apm.xframeoptions** or **apm.xframeoptions.allowfrom** from their defaults may open the system to this vulnerability. For more information, refer to K16642: Overview of the apm.xframeoptions db key. ### Security Advisory Recommended Actions If the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists. F5 is responding to this vulnerability as determined by the parameters defined in K4602: Overview of the F5 security vulnerability response policy. To mitigate this vulnerability, you can modify the logon web page to include additional code to protect against clickjacking. To do so, perform the following procedure: **Impact of action:** Performing the following procedure should not have a negative impact on your system. 1. Log in to the Configuration utility. 2. Navigate to **Access Policy**. 3. Navigate to **Access Policy** > **Customization** >**Advanced** **Customization**. 4. From the **Edit Mode** menu, select **Advanced**. 5. Select the resource type folder for **Access Profiles**. 6. Select the subfolder that shares the name of the affected access policy. 7. Select the folder **Logon Pages** >**Logon Page**. 8. Select the **logon.inc** file. 9. In the **logon.inc** file, locate the line **** (typically line 96 of an unmodified **login.inc** file). You will see the following lines just below this title. %{session.server.network.name} 10. Locate the last line listed in the previous example (typically line 103 of an unmodified **logon.inc** file), and add the following code just after that line: 11. Locate the function**sessionTimedOut ()**(typically line 113 after completing the previous modification). 12. After function**sessionTimedOut ()** , add the following lines, starting at line 114. **** if (self === top) { var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { top.location = self.location; } 13. In the top right corner of the editor, click **Save Draft**. 14. In the top left side of the editor, click**Save**. 15. In the top left corner of the Configuration utility, click **Apply Access Policy**. 16. Click**Apply Access Policy**. ### Acknowledgements F5 would like to acknowledge Tony Dimichele, with BNP Paribas US, for his efforts in identifying this issue.