Security Advisory Description
On October 26, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.
Critical CVEs
Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
---|---|---|---|---|
K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747 | 9.8 | BIG-IP (all modules) | 17.1.0 - 17.1.1 | |
16.1.0 - 16.1.4 | ||||
15.1.0 - 15.1.10 | ||||
14.1.0 - 14.1.5 | ||||
13.1.0 - 13.1.5 |
17.1.1.1
17.1.1 + Hotfix-BIGIP-17.1.1.0.2.6-ENG2
17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG2
16.1.4.2
16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG2
15.1.10.3
15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG2
14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG2
13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG2
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
2F5 has fixed this issue in an engineering hotfix that is available for versions of the BIG-IP system which have not yet reached End of Software Development. Customers affected by this issue can download the engineering hotfix from the MyF5 Downloads page. After selecting your product and version from the Downloads page, scroll to the bottom of the page to locate the hotfix file. For example, to download Hotfix-BIGIP-17.1.0.3.0.75.4-ENG, select 17.1.0.3, then scroll down to selectHotfix-BIGIP-17.1.0.3.0.75.4-ENG.iso. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.
High CVEs
Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
---|---|---|---|---|
K000137365: BIG-IP Configuration utility authenticated SQL injection vulnerability CVE-2023-46748 | 8.8 | BIG-IP (all modules) | 17.1.0 - 17.1.1 | |
16.1.0 - 16.1.4 | ||||
15.1.0 - 15.1.10 | ||||
14.1.0 - 14.1.5 | ||||
13.1.0 - 13.1.5 | 17.1.1.1 | |||
17.1.1 + Hotfix-BIGIP-17.1.1.0.2.6-ENG2 | ||||
17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG2 | ||||
16.1.4.2 | ||||
16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG2 | ||||
15.1.10.3 | ||||
15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG2 | ||||
14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG2 | ||||
13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG2 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
2F5 has fixed this issue in an engineering hotfix that is available for versions of the BIG-IP system which have not yet reached End of Software Development. Customers affected by this issue can download the engineering hotfix from the MyF5 Downloads page. After selecting your product and version from the Downloads page, scroll to the bottom of the page to locate the hotfix file. For example, to download Hotfix-BIGIP-17.1.0.3.0.75.4-ENG, select 17.1.0.3, then scroll down to selectHotfix-BIGIP-17.1.0.3.0.75.4-ENG.iso. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.
Security Exposures
Article (Exposure) | Affected products | Affected versions1 | Fixes introduced in |
---|
K000137322: BIG-IP iRule or LTM policy may generate multiple HTTP redirect responses
| BIG-IP (all modules)| 17.1.0 - 17.1.1
16.1.0 - 16.1.4
15.1.0 - 15.1.10
14.1.0 - 14.1.5
13.1.0 - 13.1.5| 17.1.1.1
16.1.4.2
15.1.10.3
BIG-IP Next (all modules)| 20.0.1| None
BIG-IP Next SPK| 1.5.0 - 1.8.2| None
BIG-IP Next CNF| 1.1.0 - 1.1.1| None
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.