F5F5:K12985K12985 : BIND vulnerability CVE-2011-1910
Security Advisory Description
Note: For information about signing up to receive security notice updates from F5, refer to K9970: Subscribing to email notifications regarding F5 products.
Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.
F5 products and versions that have been evaluated for this Security Advisory
| Product | Affected | Not Affected |
|---|---|---|
| BIG-IP LTM | 9.0.0 - 9.4.8 | |
| 10.0.0 - 10.1.0 | ||
| 10.2.0 - 10.2.2 | 10.2.2 HF1 | |
| 10.2.3 - 10.2.4 | ||
| 11.x |
BIG-IP GTM| 9.0.0 - 9.4.8
10.0.0 - 10.1.0
10.2.0 - 10.2.2
| 10.2.2 HF1
10.2.3 - 10.2.4
11.x
BIG-IP ASM| 9.0.0 - 9.4.8
10.0.0 - 10.1.0
10.2.0 - 10.2.2
| 10.2.2 HF1
10.2.3 - 10.2.4
11.x
BIG-IP Link Controller| 9.0.0 - 9.4.8
10.0.0 - 10.1.0
10.2.0 - 10.2.2
| 10.2.2 HF1
10.2.3 - 10.2.4
11.x
BIG-IP WebAccelerator| 9.0.0 - 9.4.8
10.0.0 - 10.1.0
10.2.0 - 10.2.2
| 10.2.2 HF1
10.2.3 - 10.2.4
11.x
BIG-IP PSM| 9.0.0 - 9.4.8
10.0.0 - 10.1.0
10.2.0 - 10.2.2
| 10.2.2 HF1
10.2.3 - 10.2.4
11.x
BIG-IP WOM| 10.0.0 - 10.1.0
10.2.0 - 10.2.2| 10.2.2 HF1
10.2.3 - 10.2.4
11.x
BIG-IP APM| 10.1.0 - 10.2.2| 10.2.2 HF1
10.2.3 - 10.2.4
11.x
BIG-IP Edge Gateway| 10.1.0 - 10.2.2| 10.2.2 HF1
10.2.3 - 10.2.4
11.x
BIG-IP Analytics| None| 11.x
BIG-IP AFM| None| 11.x
BIG-IP PEM| None| 11.x
BIG-IP AAM| None| 11.x
FirePass| None| 5.x
6.x
7.x
Enterprise Manager| None| *1.8.0
*2.0.0 - 2.2.0
2.3.0
3.x
ARX| None| 5.x
6.x
- F5 Product Development has determined that these Enterprise Manager versions use a vulnerable version of BIND. However, the vulnerable code is not used by default on these Enterprise Manager systems. These products are only vulnerable if BIND was manually configured and enabled.
Vulnerability description and product information
Off-by-one error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x before 9.8.0-P2, 9.4-ESV before 9.4-ESV-R4-P1, and 9.6-ESV before 9.6-ESV-R4-P1 allows remote DNS servers to cause a denial of service (assertion failure and daemon exit) via a negative response containing large RRSIG RRsets.
Information about this advisory is available at the following locations:
Note: This link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.
<https://vulners.com/cve/CVE-2011-1910>
F5 Product Development tracked this issue as ID 360515 for BIG-IP and it was fixed in BIG-IP 10.2.3. For information about upgrading, refer to the BIG-IP release notes.
F5 Product Development tracked this issue as ID 364691 for Enterprise Manager and it was fixed in Enterprise Manager 2.3.0. For information about upgrading, refer to the Enterprise Manager release notes.
Additionally, this issue was fixed in Hotfix-BIGIP-10.2.2-HF1 issued for BIG-IP 10.2.2. You may download this hotfix or later versions of the hotfix from the F5 Downloads site.
Additionally, this issue has been fixed in an engineering hotfix available for BIG-IP versions 10.2.1 HF3, 10.1.0 HF2 and 9.4.8 HF4. Customers affected by this issue can request a hotfix from F5 Technical Support.
For information about downloading software, refer to K167: Downloading software and firmware from F5.
For information about the F5 hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.
For information about how to manage F5 product hotfixes, refer to K6845: Managing F5 product hotfixes.
Related
