F5SOL19784568SOL19784568 - TMM vulnerability CVE-2016-5023
0.004 Low
EPSS
Percentile
73.9%
Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
BIG-IP 11.6.0 and later
To reduce the risk of exposure to this vulnerability, you must enable the tm.tcpprogressivedatabase variable,Âas well as enable both the Multipath TCP andRate Pace settings in the affected TCP profile. To do so, perform the following procedure:
Note: Performing the following procedure only reduces the risk of exposure; the procedures do not completely eliminate the vulnerability. To resolve this vulnerability, F5 recommends that you upgrade to a version listed in theVersions known to be not vulnerable column.
**Impact of action:** Modifying the database variable requires restarting TMM, and will halt all traffic processing. You should perform this procedure during a planned maintenance window. Depending on your application environment, modifying these TCP settings may impact the performance of the associated virtual server. Additionally, modifying the TCP profile of a virtual server while it is processing traffic may have an adverse impact on the performance of the affected virtual server. F5 recommends that you perform adequate testing in your application environment, and implement the changes during an appropriate maintenance period.
- Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
- Enable the database variable tm.tcpprogressive by typing the following command:
modify sys db tm.tcpprogressive value enable
- Enable the Multipath TCP andRate Pace settings for the affected TCP profile by using the following command syntax:
modify ltm profile tcp <affected tcp profile name> mptcp enabled rate-pace enabled
For example, you would type the following command to enable Multipath TCP andRate Pacesettings for theÂmytcpprof profile:
modify ltm profile tcp mytcpprof mptcp enabled rate-pace enabled
- Repeat the previous step for each of the affected TCP profiles.
- Save the changes by typing the following command:
save sys config partitions all
- Restart thetmmprocess by typing the following command:
restart /sys service tmm
BIG-IP 11.5.x
To reduce the risk of exposure to this vulnerability, you must enable both the Multipath TCP andRate Pacesettings as well as set theÂInitial Congestion Window Size setting toÂ1, and enable theÂSlow Start setting in the affected TCP profile. To do so, perform the following procedure:
Note: Performing the following procedure only reduces the risk of exposure; the procedures do not completely eliminate the vulnerability. To resolve this vulnerability, F5 recommends that you upgrade to a version listed in theVersions known to be not vulnerable column.
**Impact of action:**Â Depending on your application environment, modifying these TCP settings may impact the performance of the associated virtual server. Additionally, modifying the TCP profile of a virtual server while it is processing traffic may have an adverse impact on the performance of the affected virtual server. F5 recommends that you perform adequate testing in your application environment, and implement the changes during an appropriate maintenance period.
- Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
- Enable the Multipath TCP andRate Pace settings for the affected TCP profile by using the following command syntax:
modify ltm profile tcp <affected tcp profile name> mptcp enabled rate-pace enabled
For example, you would type the following command to enable Multipath TCP andÂRate Pace settings for theÂmytcpprof profile:
modify ltm profile tcp mytcpprof mptcp enabled rate-pace enabled
- Set the Initial Congestion Window Size setting to1,and enable theSlow Start setting in the affected TCP profile by using the following command syntax:
modify ltm profile tcp <affected tcp profile name> init-cwnd 1 slow-start enabled
For example, you would type the following command to set these settings for the mytcpprof profile:
modify ltm profile tcp mytcpprof init-cwnd 1 slow-start enabled
- Repeat the previous step for each of the affected TCP profiles.
- Save the changes by typing the following command:
save sys config partitions all
BIG-IP 11.3.0 through, and including, 11.4.1
To reduce the risk of exposure to this vulnerability, you must set the Initial Congestion Window Size setting toÂ1, and enable theÂSlow Start setting in the affected TCP profile. To do so, perform the following procedure:
Note: Performing the following procedure only reduces the risk of exposure; the procedures do not completely eliminate the vulnerability. To resolve this vulnerability, F5 recommends that you upgrade to a version listed in theVersions known to be not vulnerable column.
**Impact of action:**Â Depending on your application environment, modifying these TCP settings may impact the performance of the associated virtual server. Additionally, modifying the TCP profile of a virtual server while it is processing traffic may have an adverse impact on the performance of the affected virtual server. F5 recommends that you perform adequate testing in your application environment, and implement the changes during an appropriate maintenance period.
- Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
- Set the Initial Congestion Window Size setting to1,and enable theSlow Start setting in the affected TCP profile by using the following command syntax:
modify ltm profile tcp <affected tcp profile name> init-cwnd 1 slow-start enabled
For example, you would type the following command to set these settings for the mytcpprof profile:
modify ltm profile tcp mytcpprof init-cwnd 1 slow-start enabled
- Repeat the previous step for each of the affected TCP profiles.
- Save the changes by typing the following command:
save sys config partitions all
BIG-IP 11.2.1 and earlier
To reduce the risk of exposure to this vulnerability for versions prior to BIG-IP 11.3.0, you must enable the tm.tcpprogressive database variable as well as set theInitial Congestion Window Sizesetting to1, and enable theÂSlow Start setting in the affected TCP profile. To do so, perform the following procedure:
Note: Performing the following procedure only reduces the risk of exposure; the procedures do not completely eliminate the vulnerability. To resolve this vulnerability, F5 recommends that you upgrade to a version listed in theVersions known to be not vulnerable column.
**Impact of action:** Modifying the database variable requires restarting TMM, and will temporarily halt all traffic processing. You should perform this procedure during a planned maintenance window. Depending on your application environment, modifying these TCP profile settings may impact the performance of the associated virtual server. Additionally, modifying the TCP profile of a virtual server while it is processing traffic may have an adverse impact on the performance of the affected virtual server. F5 recommends that you perform adequate testing in your application environment, and implement the changes during an appropriate maintenance period.
- Log in to the tmsh utility by typing the following command:
tmsh
- Enable the tm.tcpprogressive database variable by typing the following command:
modify sys db tm.tcpprogressive value enable
- Set the Initial Congestion Window Size setting to1,and enable theÂSlow Start setting in the affected TCP profile by using the following command syntax:
modify ltm profile tcp <affected tcp profile name> init-cwnd 1 slow-start enabled
For example, you would type the following command to set these settings for the mytcpprof profile:
modify ltm profile tcp mytcpprof init-cwnd 1 slow-start enabled
- Repeat the previous step for each of the affected TCP profiles.
- Save the changes by typing the following command:
save sys config partitions all
- Restart the tmmprocess by typing the following command:
restart /sys service tmm
Supplemental Information
- SOL9970: Subscribing to email notifications regarding F5 products
- SOL9957: Creating a custom RSS feed to view new and updated documents
- SOL4602: Overview of the F5 security vulnerability response policy
- SOL4918: Overview of the F5 critical issue hotfix policy
- SOL167: Downloading software and firmware from F5
- SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
- SOL10025: Managing BIG-IP product hotfixes (10.x)
- SOL9502: BIG-IP hotfix matrix
- SOL70025261: Overview of the TCP profile (12.x)
- SOL13924148: Overview of the TCP profile (11.x)
- SOL7559: Overview of the TCP profile (9.x - 10.x)
| CPE | Name | Operator | Version |
|---|---|---|---|
| big-ip afm | le | HF7 | |
| big-ip ltm | le | HF7 | |
| big-ip aam | le | HF7 | |
| big-ip gtm | le | HF7 | |
| big-ip asm | le | HF7 | |
| big-ip apm | le | HF7 | |
| big-ip pem | le | HF7 | |
| big-ip webaccelerator | le | HF15 | |
| big-ip wom | le | HF15 | |
| big-ip analytics | le | HF7 |
References
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/10000/000/sol10025.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/7000/500/sol7559.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html
support.f5.com/kb/en-us/solutions/public/k/13/sol13924148.html
support.f5.com/kb/en-us/solutions/public/k/70/sol70025261.html
Related
