SOL00032124 - BIG-IP last hop kernel module vulnerability CVE-2015-5516

Vulnerability Recommended Actions

If you are running a version listed in theVersions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable**column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

To determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to SOL21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems.

Mitigating this vulnerability

To mitigate this vulnerability, you should consider the following recommendations:

• Permit management access to F5 products only over a secure network, and limit shell access to only trusted users. For more information about securing access to BIG-IP/Enterprise Manager systems, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x) and SOL13092: Overview of securing access to the BIG-IP system.
• Filter UDP traffic to the potentially impacted services by using an upstream firewall.
• Configure the port lockdown feature to disallow unneeded UDP ports all self IP addresses. For more information, refer to SOL13250: Overview of port lockdown behavior (10.x - 11.x) or SOL17333: Overview of port lockdown behavior (12.x).

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)