Security Advisory

F5 (BIG-IP, NGINX) Family August 2024 Security Update Advisory

  • Aug 19 2024

Overview

 

An update has been released to address vulnerabilities in F5 products. Users of the affected versions are advised to update to the latest version.

Affected Products

 

CVE-2024-39809

  • BIG-IP Next Central Manager version: 20.1.0

 

CVE-2024-39792

  • NGINX Plus Versions: R30 (inclusive) ~ R32 (inclusive)

 

CVE-2024-41164

  • BIG-IP Next SPK versions: 1.7.0 (inclusive) ~ 1.8.2 (inclusive)
  • BIG-IP Next CNF versions: 1.1.0 (inclusive) ~ 1.1.1 (inclusive)

 

  • BIG-IP (all modules) version: 17.1.0
  • BIG-IP (all modules) versions: 16.1.0 (inclusive) ~ 16.1.4 (inclusive)
  • BIG-IP (all modules) versions: 15.1.0 (inclusive) ~ 15.1.9 (inclusive)

     

 

Resolved Vulnerabilities

An attacker with access to obtain a user’s session cookie could use that session to continue accessing BIG-IP Next Central Manager and the systems it manages even after the user logs out (CVE-2024-39809)

A vulnerability that could cause the NGINX master and worker processes to degrade system performance until they are forced or manually restarted, which could allow an attacker to cause a degradation of service that could lead to a denial of service in NGINX (CVE-2024-39792)

A vulnerability that could cause TMM to shut down due to undisclosed traffic with conditions beyond the attacker’s control if a TCP profile with multipath TCP enabled (MPTCP) is configured on a virtual server (CVE-2024-41164)

 

 

Vulnerability Patches

 

The following product-specific vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-39809

  • BIG-IP Next Central Manager version: 20.2.0

 

CVE-2024-39792

  • NGINX Plus version: R32 P1
  • NGINX Plus version: R31 P3

 

CVE-2024-41164

 

  • BIG-IP Next SPK version: 1.9.0
  • BIG-IP Next CNF version: 1.2.0

 

  • BIG-IP (all modules) version: 17.1.1
  • BIG-IP (all modules) version: 16.1.5
  • BIG-IP (all modules) version: 15.1.10

 

 

references

[1] K000140111: BIG-IP Next Central Manager vulnerability CVE-2024-39809

https://my.f5.com/manage/s/article/K000140111

[2] K000140108: NGINX Plus MQTT vulnerability CVE-2024-39792

https://my.f5.com/manage/s/article/K000140108

[3] K000138477: BIG-IP MPTCP vulnerability CVE-2024-41164

https://my.f5.com/manage/s/article/K000138477

Tags:

Previous Post

Next Post