Security Advisory

F5 Family March 2024 First Security Update Advisory

  • Mar 20 2024

Overview

 

An update has been made available to fix vulnerabilities in the F5 family of products. users of affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2018-14880

  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 15.0.0 through 15.1.2
  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 14.0.0 through 14.1.3
  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) Versions 13.1.0 through 13.1.4
  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 12.1.0 through 12.1.6
  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 11.5.2 to 11.6.5
  • Enterprise Manager 3.1.1 version
  • BIG-IQ Centralized Management 8.0.0 to 8.3.0 versions
  • BIG-IQ Centralized Management 7.0.0 to 7.1.0 versions
  • BIG-IQ Centralized Management 6.0.0 to 6.1.0 Versions
  • BIG-IQ Centralized Management 5.2.0 to 5.4.0 versions
  • F5 iWorkflow 2.3.0 version
  • Traffix SDC 5.0.0 through 5.1.0 versions

 

CVE-2023-3611

  • Traffix SDC 5.2.0, 5.1.0 versions

 

CVE-2022-27230

  • BIG-IP Guided Configuration 8.0, 7.0, and 5.0 versions
  • BIG-IP Guided Configuration versions 6.0 through 6.1
  • BIG-IP Guided Configuration 4.1 through 4.2 Versions
  • BIG-IP Guided Configuration versions 3.0 through 3.1

 

CVE-2024-23603

  • BIG-IP (Advanced WAF/ASM) 17.1.0 version
  • BIG-IP (Advanced WAF/ASM) Versions 16.1.0 through 16.1.3
  • BIG-IP (Advanced WAF/ASM) 15.1.0 through 15.1.9 Versions

 

CVE-2023-41964

  • BIG-IP (all modules) 16.1.0 through 16.1.3 versions
  • BIG-IP (all modules) 15.1.0 through 15.1.8 versions
  • BIG-IP (all modules) versions 14.1.0 through 14.1.5
  • BIG-IP (all modules) versions 13.1.0 through 13.1.5
  • BIG-IQ Centralized Management 8.0.0 to 8.3.0 versions

 

CVE-2024-24966

  • F5OS-A version 1.2.0
  • F5OS-C versions 1.3.0 through 1.5.1

 

CVE-2024-23306

  • BIG-IP Next CNF 1.1.0 through 1.1.1 versions

 

CVE-2023-43124

  • BIG-IP APM 17.1.0 through 17.1.1 versions
  • BIG-IP APM 16.1.3.3 through 16.1.4 Versions
  • BIG-IP APM versions 15.1.8 through 15.1.10
  • BIG-IP APM versions 14.1.5.2 through 14.1.5.6
  • BIG-IP APM 13.1.5.1 versions
  • APM Clients 7.2.3 through 7.2.4 versions
  • F5 Access for iOS 3.0.13 to 3.0.14 versions
  • F5 Access for macOS 2.0.2 to 2.0.3 versions
  • F5 Access for Windows 1.2 to 1.3 versions

 

CVE-2024-21782

  • BIG-IP (all modules) version 17.1.0
  • BIG-IP (all modules) versions 16.1.0 through 16.1.3
  • BIG-IP (all modules) versions 15.1.0 through 15.1.8
  • BIG-IQ Centralized Management 8.0.0 to 8.3.0 versions

 

CVE-2023-43125

  • BIG-IP APM 17.1.0 through 17.1.1 versions
  • BIG-IP APM 16.1.3.3 through 16.1.4 versions
  • BIG-IP APM versions 15.1.8 through 15.1.10
  • BIG-IP APM versions 14.1.5.2 through 14.1.5.6
  • BIG-IP APM 13.1.5.1 versions
  • APM Clients 7.2.3 through 7.2.4 versions
  • F5 Access for Android 3.0.9 to 3.0.10 versions
  • F5 Access for iOS 3.0.13 to 3.0.14 versions
  • F5 Access for macOS versions 2.0.2 through 2.0.3
  • F5 Access for Windows 1.2 to 1.3 versions

 

CVE-2020-27617

  • BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) versions 17.1.0 through 17.1.1
  • BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) versions 16.0.0 through 16.1.4
  • BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) versions 15.1.0 through 15.1.10
  • BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) versions 14.1.0 through 14.1.5
  • BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) versions 13.1.0 through 13.1.5

 

CVE-2018-3640

  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) Versions 17.0.0 through 17.1.1
  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 16.0.0 through 16.1.4
  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 15.0.0 through 15.1.10
  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 14.0.0 through 14.1.5
  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 13.0.0 through 13.1.5
  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) 12.1.0 through 12.1.6
  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 11.2.1 through 11.6.5
  • Enterprise Manager 3.1.1 version
  • BIG-IQ Centralized Management 8.0.0 to 8.3.0 versions
  • BIG-IQ Centralized Management 7.0.0 to 7.1.0 versions
  • BIG-IQ Centralized Management 6.0.0 to 6.1.0 Versions
  • BIG-IQ Centralized Management 5.0.0 to 5.4.0 versions
  • BIG-IQ Centralized Management 4.6.0 version
  • BIG-IQ Cloud and Orchestration 1.0.0 version
  • F5 iWorkflow 2.1.0 through 2.3.0 versions

 

CVE-2023-43125

  • BIG-IP APM 17.1.0 through 17.1.1 versions
  • BIG-IP APM 16.1.3.3 through 16.1.4 versions
  • BIG-IP APM versions 15.1.8 through 15.1.10
  • BIG-IP APM versions 14.1.5.2 through 14.1.5.6
  • BIG-IP APM 13.1.5.1 versions
  • APM Clients 7.2.3 through 7.2.4 versions
  • F5 Access for Android 3.0.9 to 3.0.10 versions
  • F5 Access for iOS 3.0.13 to 3.0.14 versions
  • F5 Access for macOS versions 2.0.2 through 2.0.3
  • F5 Access for Windows 1.2 to 1.3 versions

 

CVE-2020-22218

  • BIG-IP (all modules) 17.1.0 through 17.1.1 versions
  • BIG-IP (all modules) 16.1.0 through 16.1.4 versions
  • BIG-IP (all modules) versions 15.1.0 through 15.1.10
  • BIG-IQ Centralized Management 8.0.0 to 8.3.0 versions
  • F5OS-A versions 1.5.0 through 1.5.1
  • F5OS-A 1.4.0 through 1.4.0
  • F5OS-A Versions 1.3.0 through 1.3.2
  • F5OS-C Versions 1.6.0 through 1.6.2
  • F5OS-C versions 1.5.0 through 1.5.1

 

CVE-2023-3611

  • Traffix SDC 5.2.0, 5.1.0 versions

 

Resolved Vulnerabilities

 

4.buffer overflow read vulnerability in print-ospf6.c:ospf6_print_lshdr() in the OSPFv3 parser in tcpdump in 9.3 or below (CVE-2018-14880)

Local privilege escalation vulnerability due to an out-of-bounds write vulnerability in the net/sched: sch_qfq component of the Linux kernel (CVE-2023-3611)

XSS vulnerability in F5 BIG-IP Guided Configuration (CVE-2022-27230)

Configuration Utility Vulnerability in BIG-IP Advanced WAF and BIG-IP ASM (CVE-2024-23603)

Variable vulnerability in BIG-IP and BIG-IQ DB (CVE-2023-41964)

LDAP authentication vulnerability in F5OS that could allow an attacker to bypass intended access restrictions (CVE-2024-24966)

Vulnerability in BIG-IP Next CNF that could allow access to undisclosed sensitive files (CVE-2024-23306)

TunnelCrack vulnerability in BIG-IP APM Clients (CVE-2023-43124, CVE-2023-43125)

Scp Vulnerability in BIG-IP and BIG-IQ (CVE-2024-21782)

Denial of Service (DoS) vulnerability due to QEMU process stopping responding (CVE-2020-27617)

Variant 3a, also known as Rogue System Register Read (RSRE), allows unauthorized disclosure of system parameters to an attacker with local user access (CVE-2018-3640)

Vulnerability that could allow IP traffic to be sent outside the VPN tunnel (CVE-2023-43125)

Out-of-bounds memory access vulnerability due to the _libssh2_packet_add function in libssh2 1.10.0 (CVE-2020-22218)

Local privilege escalation vulnerability due to out-of-bounds write vulnerability in the net/sched: sch_qfq component of the Linux kernel (CVE-2023-3611)

 

Vulnerability Patches

 

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2018-14880

  • BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 16.0.0, 15.1.3, 14.1.3.1, 13.1.4.1

 

CVE-2023-3611

  • patch version not available

 

CVE-2022-27230

  • BIG-IP Guided Configuration version 9.0
  • BIG-IP APM 16.1.0 through 16.1.2 Versions
  • BIG-IP APM 15.1.0 through 15.1.5 Versions
  • BIG-IP APM 14.1.0 through 14.1.4 Versions
  • BIG-IP APM versions 13.1.0.8 through 13.1.5

 

CVE-2024-23603

  • BIG-IP (Advanced WAF/ASM) version 17.1.1
  • BIG-IP (Advanced WAF/ASM) version 16.1.4
  • BIG-IP (Advanced WAF/ASM) 15.1.10 version

 

CVE-2023-41964

  • BIG-IP (all modules) version 17.1.0
  • BIG-IP (all modules) version 16.1.4
  • BIG-IP (all modules) 15.1.9 version
  • BIG-IQ Centralized Management Hotfix-BIG-IQ-8.3.0.0.12.118-ENG3, Hotfix-BIG-IQ-8.2.0.1.0.13.97-ENG3 versions

 

CVE-2024-24966

  • F5OS-A version 1.3.0
  • F5OS-C version 1.6.0

 

CVE-2024-23306

  • BIG-IP Next CNF 1.2.0 version

 

CVE-2023-43124

  • APM Clients 7.2.4.6 version

 

CVE-2024-21782

  • BIG-IP (all modules) version 17.1.1
  • BIG-IP (all modules) version 16.1.4
  • BIG-IP (all modules) 15.1.9 version
  • BIG-IQ Centralized Management 8.3.0 + Hotfix – BIG-IQ-8.3.0.0.16.118-ENG3 version

 

CVE-2023-43125

  • APM Clients 7.2.4.6 version

 

CVE-2020-27617

  • Updated based on content from Referenced Sites [11]

 

CVE-2018-3640

  • Updated based on content in Referenced Sites [12]

 

CVE-2023-43125

  • APM Clients version 7.2.4.6

 

CVE-2020-22218

  • F5OS-A version 1.7.0, 1.5.2

 

CVE-2023-3611

  • Updated based on content from Referenced Sites [15]

 

Referenced Sites

 

[1] K56551263: tcpdump vulnerability CVE-2018-14880
https://my.f5.com/manage/s/article/K56551263
[2] K000138726: Linux kernel vulnerability CVE-2023-3611
https://my.f5.com/manage/s/article/K000138726
[3] K21317311: F5 BIG-IP Guided Configuration XSS vulnerability CVE-2022-27230
https://my.f5.com/manage/s/article/K21317311
[4] K000138047: BIG-IP Advanced WAF and BIG-IP ASM Configuration utility vulnerability CVE-2024-23603
https://my.f5.com/manage/s/article/K000138047
[5] K20850144: BIG-IP and BIG-IQ DB variable vulnerability CVE-2023-41964
https://my.f5.com/manage/s/article/K20850144
[6] K000133111: F5OS vulnerability CVE-2024-24966
https://my.f5.com/manage/s/article/K000133111
[7] K000137886: BIG-IP Next CNF vulnerability CVE-2024-23306
https://my.f5.com/manage/s/article/K000137886
[8] K000136907: BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43124
https://my.f5.com/manage/s/article/K000136907
[9] K98606833: BIG-IP and BIG-IQ scp vulnerability CVE-2024-21782
https://my.f5.com/manage/s/article/K98606833
[10] K000136909: BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125
https://my.f5.com/manage/s/article/K000136909
[11] K41142448: QEMU vulnerability CVE-2020-27617
https://my.f5.com/manage/s/article/K41142448?utm_source=f5support&utm_medium=RSS
[12] K51801290: RSRE Variant 3a vulnerability CVE-2018-3640
https://my.f5.com/manage/s/article/K51801290?utm_source=f5support&utm_medium=RSS
[13] K000136909: BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125
https://my.f5.com/manage/s/article/K000136909?utm_source=f5support&utm_medium=RSS
[14] K000138219: libssh2 vulnerability CVE-2020-22218
https://my.f5.com/manage/s/article/K000138219?utm_source=f5support&utm_medium=RSS
[15] K000138726: Linux kernel vulnerability CVE-2023-3611
https://my.f5.com/manage/s/article/K000138726?utm_source=f5support&utm_medium=RSS

Tags:

Previous Post

Next Post