CERTsSecurity

F5 Products: CVSS (Max): 8.0

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2024.2898
K000139404 : Quarterly Security Notification (May 2024)
9 May 2024

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: APM Clients
BIG-IP
NGINX App Protect WAF
Publisher: F5 Networks
Operating System: F5
Resolution: Patch/Upgrade
CVE Names: CVE-2024-26026 CVE-2024-21793 CVE-2024-32761
CVE-2024-25560 CVE-2024-32049 CVE-2024-28883
CVE-2024-28889 CVE-2024-31156 CVE-2024-33604
CVE-2024-27202 CVE-2024-28132 CVE-2024-33612
CVE-2024-33608 CVE-2024-3296

Original Bulletin:
https://my.f5.com/manage/s/article/K000139404

Comment: CVSS (Max): 8.0 CVE-2024-31156 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: F5 Networks
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

– ————————–BEGIN INCLUDED TEXT——————–

K000139404: Quarterly Security Notification (May 2024)

Published Date: May 8, 2024
AI Recommended Content

Security Advisory Description

On May 8, 2024, F5 announced the following security issues. This document is
intended to serve as an overview of these vulnerabilities and security
exposures to help determine the impact to your F5 devices. You can find the
details of each issue in the associated articles.

You can watch the May 2024 Quarterly Security Notification briefing by
DevCentral in the following video:

o High CVEs
o Medium CVEs
o Security Exposures

High CVEs

+————————————-+—–+————+———+———-+
| |CVSS |Affected |Affected |Fixes |
|Article (CVE) |score|products |versions^|introduced|
| | | |1 |in |
+————————————-+—–+————+———+———-+
| | | |17.1.0 – | |
|K000138636: BIG-IP Configuration | | |17.1.1 |17.1.1.3 |
|utility XSS vulnerability |8.0 |BIG-IP (all |16.1.0 – |16.1.4.3 |
|CVE-2024-31156 | |modules) |16.1.4 |15.1.10.4 |
| | | |15.1.0 – | |
| | | |15.1.10 | |
+————————————-+—–+————+———+———-+
|K000138732: BIG-IP Next Central | |BIG-IP Next |20.0.1 – | |
|Manager OData Injection vulnerability|7.5 |Central |20.1.0 |20.2.0 |
|CVE-2024-21793 | |Manager | | |
+————————————-+—–+————+———+———-+
|K000138733: BIG-IP Next Central | |BIG-IP Next |20.0.1 – | |
|Manager SQL Injection vulnerability |7.5 |Central |20.1.0 |20.2.0 |
|CVE-2024-26026 | |Manager | | |
+————————————-+—–+————+———+———-+
|K000138728: BIG-IP IPsec |7.5 |BIG-IP (all |17.1.0 |17.1.1 |
|vulnerability CVE-2024-33608 | |modules) | | |
+————————————-+—–+————+———+———-+
| | | |17.1.0 | |
| | | |16.1.0 – |17.1.1 |
| | |BIG-IP (AFM)|16.1.3 |16.1.4 |
|K000139037: TMM vulnerability |7.5 | |15.1.0 – | |
|CVE-2024-25560 | | |15.1.10 | |
| | +————+———+———-+
| | |BIG-IP Next |1.1.0 – |1.2.0 |
| | |CNF |1.1.1 | |
+————————————-+—–+————+———+———-+
|K000138634: BIG-IP Next Central | |BIG-IP Next |20.0.1 – | |
|Manager vulnerability CVE-2024-32049 |7.4 |Central |20.0.2 |20.1.0 |
| | |Manager | | |
+————————————-+—–+————+———+———-+
| | | |17.1.0 | |
| | | |16.1.0 – |17.1.1 |
|K000138744: BIG-IP APM browser | |BIG-IP (APM)|16.1.4 |16.1.4.2 |
|network access VPN client |7.4 | |15.1.0 – |15.1.10.3 |
|vulnerability CVE-2024-28883 | | |15.1.10 | |
| | +————+———+———-+
| | |APM Clients |7.2.3 – |7.2.4.4^2 |
| | | |7.2.4 | |
+————————————-+—–+————+———+———-+

^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.

^2The fixed versions of APM Client introduce a change in behavior. For more
information, refer to K000136020: BIG-IP APM EPI blocks VPN connections to HTTP
and untrusted HTTPS virtual servers on web browsers.

Medium CVEs

+————————————-+—–+————+———+———-+
| |CVSS |Affected |Affected |Fixes |
|Article (CVE) |score|products |versions^|introduced|
| | | |1 |in |
+————————————-+—–+————+———+———-+
|K000139012: BIG-IP Next Central | |BIG-IP Next |20.0.1 – | |
|Manager vulnerability CVE-2024-33612 |6.8 |Central |20.1.0 |20.2.0^2 |
| | |Manager | | |
+————————————-+—–+————+———+———-+
|K000139217: BIG-IP TMM tenants on | |BIG-IP (all |15.1.0 – | |
|VELOS and rSeries vulnerability |6.5 |modules) |15.1.9 |15.1.10 |
|CVE-2024-32761 | | | | |
+————————————-+—–+————+———+———-+
| | | |17.1.0 – | |
|K000138894: BIG-IP Configuration | | |17.1.1 |17.1.1.3 |
|utility XSS vulnerability |6.1 |BIG-IP (all |16.1.0 – |16.1.4.3 |
|CVE-2024-33604 | |modules) |16.1.4 |15.1.10.4 |
| | | |15.1.0 – | |
| | | |15.1.10 | |
+————————————-+—–+————+———+———-+
| | | |17.1.0 – | |
| | | |17.1.1 |17.1.1.3 |
|K000138912: BIG-IP SSL vulnerability |5.9 |BIG-IP (all |16.1.2.1 |16.1.4.3 |
|CVE-2024-28889 | |modules) |- 16.1.4 |15.1.10.4 |
| | | |15.1.5 – | |
| | | |15.1.10 | |
+————————————-+—–+————+———+———-+
| | | |17.1.0 – | |
| | | |17.1.1 |17.1.1.3 |
|K000138520: BIG-IP Configuration |4.7 |BIG-IP (all |16.1.0 – |16.1.4.3 |
|utility vulnerability CVE-2024-27202 | |modules) |16.1.4 |15.1.10.4 |
| | | |15.1.0 – | |
| | | |15.1.10 | |
+————————————-+—–+————+———+———-+
|K000138913: BIG-IP Next CNF |4.4 |BIG-IP Next |1.2.0 – |1.3.0 |
|vulnerability CVE-2024-28132 | |CNF |1.2.1 | |
+————————————-+—–+————+———+———-+

^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.

^2When running the fixed BIG-IP Next Central Manager version 20.2.0 for F5OS
type providers (F5 VELOS/Chassis partitions or rSeries) ensure that the TLS
certificate used by these F5OS systems has well-formed Subject Alternative
Names (SAN).

Security Exposures

+——————————————–+———–+———+———-+
| |Affected |Affected |Fixes |
|Article (Exposure) |products |versions^|introduced|
| | |1 |in |
+——————————————–+———–+———+———-+
| | |16.1.0 – |17.1.0 |
| |BIG-IP (all|16.1.3 |16.1.4 |
|K000132430: The BIG-IP system may fail to |modules) |15.1.0 – |15.1.9 |
|block HTTP Request Smuggling attacks | |15.1.8 | |
| +———–+———+———-+
| |BIG-IP Next|1.5.0 – |1.7.0 |
| |SPK |1.6.0 | |
+——————————————–+———–+———+———-+
| |BIG-IP |16.1.0 – |17.1.0 |
| |(Advanced |16.1.3 |16.1.4 |
| |WAF/ASM) |15.1.0 – |15.1.7 |
|K11342432: BIG-IP HTTP non-RFC-compliant | |15.1.6 | |
|security exposure +———–+———+———-+
| |BIG-IP (all|16.1.0 – |17.1.0 |
| |other |16.1.2 |16.1.2.2 |
| |modules) |15.1.0 – |15.1.5.1 |
| | |15.1.5 | |
+——————————————–+———–+———+———-+
| | |17.1.0 – | |
| |BIG-IP |17.1.1 |17.1.1.3 |
| |(Advanced |16.1.0 – |16.1.4.3 |
| |WAF/ASM) |16.1.4 |15.1.10.4 |
| | |15.1.0 – | |
|K000138898: BIG-IP Advanced WAF/ASM, BIG-IP | |15.1.10 | |
|Next WAF, and NGINX App Protect WAF attack +———–+———+———-+
|signature check failure |BIG-IP Next|20.0.1 – |20.2.0 |
| |(WAF) |20.1.0 | |
| +———–+———+———-+
| | |4.0.0 – | |
| |NGINX App |4.8.0 |4.8.1 |
| |Protect WAF|3.10.0 – | |
| | |3.12.2 | |
+——————————————–+———–+———+———-+

^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.

Related Content

o K12201527: Overview of Quarterly Security Notifications
o K67091411: Guidance for Quarterly Security Notifications
o K84205182: BIG-IP update and upgrade guide | Chapter 1: Guide contents
o K41942608: Overview of MyF5 security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K39757430: F5 product and services lifecycle policy index
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x – 17.x)
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K000090258: Download F5 products from MyF5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K27404821: Using F5 iHealth to diagnose vulnerabilities
o K000135931: Contact F5 Support

AI Recommended Content

o K10866411 : Creating a custom cipher group using the Configuration utility
o K5903 : BIG-IP software support policy
o K000139508 : rust-openssl vulnerability CVE-2024-3296
o K000135931 : Contact F5 Support

– ————————–END INCLUDED TEXT———————-

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================Security BulletinsRead More