Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
F5 responds to vulnerabilities in accordance with the Severityvalues published in the previous table. The Severityvalues and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.
To mitigate this vulnerability, you can perform one of the following recommended modifications to the NTP service:
Configure the NTP service to use multiple time sources
To add multiple time sources for the NTP service using the Configuration Utility, perform the following procedure:
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Configure the NTP service to restrict the use of ntpq queries with the restrict noquery directive
To configure the NTP service to restrict the use of ntpq withnoquery directive, perform the following procedure.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
modify sys ntp restrict modify { <Name> { no-query enabled } }
For example, to modify an existing access restriction name called ntp_restriction to enablenoquery, type the following command:
modify sys ntp restrict modify { ntp_restriction { no-query enabled } }
* If you do not have an existing access restriction configured, use the following command syntax:
modify sys ntp restrict add { <Name> { address <Network> mask <Mask> no-trap enabled no-modify enabled no-query enabled }
For example, to configure an access restriction named ntp_restriction, for the 192.168.1.0/24 subnet, withnotrap,nomodify,andnoquery enabled, type the following command:
modify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask 255.255.255.0 no-trap enabled no-modify enabled no-query enabled }
3. Save the configuration by typing the following command:
save /sys config
Configure restrict network access to the NTP service
For information about restricting network access to the NTP service, refer to SOL13092: Overview of securing access to the BIG-IP system.
Supplemental Information
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/10000/000/sol10025.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/15000/100/sol15106.html
support.f5.com/kb/en-us/solutions/public/15000/100/sol15113.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html