F5 has stated that an unauthenticated attacker with network access to the BIG-IP system may be able to execute arbitrary system commands. This vulnerability only affects the control plane, not the data plane.
The following versions of BIG-IP have been found to be vulnerable –
17.1.0 (Fixed in 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.75.4-ENG)
16.1.0 – 16.1.4 (Fixed in 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.50.5-ENG)
15.1.0 – 15.1.10 (Fixed in 18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.44.2-ENG)
14.1.0 – 14.1.5 (Fixed in 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.10.6-ENG)
13.1.0 – 13.1.5 (Fixed in 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.20.2-ENG)
F5 has provided a shell script for users of BIG-IP versions 14.1.0 and above as a mitigation. However, it should not be used on any BIG-IP version prior to 14.1.0 as it will cause the Configuration utility to not start.
Other temporary workarounds available for users are below –
- Block Configuration utility access through self IP addresses
- Block Configuration utility access through the management interface
To read read F5 Security Advisory click here.