TMM vulnerability CVE-2016-5023

F5 Product Development has assigned ID 572495 (BIG-IP) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H19784568 on the Diagnostics >Identified>High page.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.

1The BIG-IP system has increased exposure to the vulnerability if the system meets the following criteria:

• The BIG-IP system is running any of the following versions:
  • 12.0.0 - 12.0.0 HF2
  • 11.6.0 HF5 - 11.6.0 HF8
  • 11.5.3 - 11.5.4 HF1
  • 11.4.1 HF4 - 11.4.1 HF11
  • 11.2.1 HF11 - 11.2.1 HF15
• The BIG-IP system has virtual servers that are not associated with a TCP Analytics profile but associated with a TCP profile that is configured with the following settings:
  • Multipath TCP (mptcp) setting is disabled (default)
  • Rate Pace (rate-pace) setting of the Congestion Control section is disabled (default)
  • Tail Loss Probe (tail-loss-probe) setting of the Loss Detection and Recovery section is disabled (default)
  • Fast Open (fast-open) setting of the Connection Setup section is disabled (default)
  • Congestion Metrics Cache Timeout (cmetrics-cache-timeout) setting of the Congestion Control section is set to**zero **(default)
  • Congestion Control (congestion-control) setting of the Congestion Control section is set to one of the following:
    • Reno *New Reno *High Speed (default)
    • Scalable Nagle’s Algorithmsetting of the Data Transfer section is set to either*Enabled orDisabled **(default)

Note: Changing the settings in the affected TCP profile to not match the values previously described does not mitigate the vulnerability.

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

Mitigation

There is no mitigation for this vulnerability.

• K9970: Subscribing to email notifications regarding F5 products
• K9957: Creating a custom RSS feed to view new and updated documents
• K4602: Overview of the F5 security vulnerability response policy
• K4918: Overview of the F5 critical issue hotfix policy
• K167: Downloading software and firmware from F5
• K13123: Managing BIG-IP product hotfixes (11.x - 13.x)
• K10025: Managing BIG-IP product hotfixes (10.x)
• K9502: BIG-IP hotfix and point release matrix
• K70025261: Overview of the TCP profile (12.x)
• K13924148: Overview of the TCP profile (11.x)
• K7559: Overview of the TCP profile (9.x - 10.x)