Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
BIG-IP 11.6.0 and later
To reduce the risk of exposure to this vulnerability, you must enable the tm.tcpprogressivedatabase variable,Âas well as enable both the Multipath TCP andRate Pace settings in the affected TCP profile. To do so, perform the following procedure:
Note: Performing the following procedure only reduces the risk of exposure; the procedures do not completely eliminate the vulnerability. To resolve this vulnerability, F5 recommends that you upgrade to a version listed in theVersions known to be not vulnerable column.
**Impact of action:** Modifying the database variable requires restarting TMM, and will halt all traffic processing. You should perform this procedure during a planned maintenance window. Depending on your application environment, modifying these TCP settings may impact the performance of the associated virtual server. Additionally, modifying the TCP profile of a virtual server while it is processing traffic may have an adverse impact on the performance of the affected virtual server. F5 recommends that you perform adequate testing in your application environment, and implement the changes during an appropriate maintenance period.
tmsh
modify sys db tm.tcpprogressive value enable
modify ltm profile tcp <affected tcp profile name> mptcp enabled rate-pace enabled
For example, you would type the following command to enable Multipath TCP andRate Pacesettings for theÂmytcpprof profile:
modify ltm profile tcp mytcpprof mptcp enabled rate-pace enabled
save sys config partitions all
restart /sys service tmm
BIG-IP 11.5.x
To reduce the risk of exposure to this vulnerability, you must enable both the Multipath TCP andRate Pacesettings as well as set theÂInitial Congestion Window Size setting toÂ1, and enable theÂSlow Start setting in the affected TCP profile. To do so, perform the following procedure:
Note: Performing the following procedure only reduces the risk of exposure; the procedures do not completely eliminate the vulnerability. To resolve this vulnerability, F5 recommends that you upgrade to a version listed in theVersions known to be not vulnerable column.
**Impact of action:**Â Depending on your application environment, modifying these TCP settings may impact the performance of the associated virtual server. Additionally, modifying the TCP profile of a virtual server while it is processing traffic may have an adverse impact on the performance of the affected virtual server. F5 recommends that you perform adequate testing in your application environment, and implement the changes during an appropriate maintenance period.
tmsh
modify ltm profile tcp <affected tcp profile name> mptcp enabled rate-pace enabled
For example, you would type the following command to enable Multipath TCP andÂRate Pace settings for theÂmytcpprof profile:
modify ltm profile tcp mytcpprof mptcp enabled rate-pace enabled
modify ltm profile tcp <affected tcp profile name> init-cwnd 1 slow-start enabled
For example, you would type the following command to set these settings for the mytcpprof profile:
modify ltm profile tcp mytcpprof init-cwnd 1 slow-start enabled
save sys config partitions all
BIG-IP 11.3.0 through, and including, 11.4.1
To reduce the risk of exposure to this vulnerability, you must set the Initial Congestion Window Size setting toÂ1, and enable theÂSlow Start setting in the affected TCP profile. To do so, perform the following procedure:
Note: Performing the following procedure only reduces the risk of exposure; the procedures do not completely eliminate the vulnerability. To resolve this vulnerability, F5 recommends that you upgrade to a version listed in theVersions known to be not vulnerable column.
**Impact of action:**Â Depending on your application environment, modifying these TCP settings may impact the performance of the associated virtual server. Additionally, modifying the TCP profile of a virtual server while it is processing traffic may have an adverse impact on the performance of the affected virtual server. F5 recommends that you perform adequate testing in your application environment, and implement the changes during an appropriate maintenance period.
tmsh
modify ltm profile tcp <affected tcp profile name> init-cwnd 1 slow-start enabled
For example, you would type the following command to set these settings for the mytcpprof profile:
modify ltm profile tcp mytcpprof init-cwnd 1 slow-start enabled
save sys config partitions all
BIG-IP 11.2.1 and earlier
To reduce the risk of exposure to this vulnerability for versions prior to BIG-IP 11.3.0, you must enable the tm.tcpprogressive database variable as well as set theInitial Congestion Window Sizesetting to1, and enable theÂSlow Start setting in the affected TCP profile. To do so, perform the following procedure:
Note: Performing the following procedure only reduces the risk of exposure; the procedures do not completely eliminate the vulnerability. To resolve this vulnerability, F5 recommends that you upgrade to a version listed in theVersions known to be not vulnerable column.
**Impact of action:** Modifying the database variable requires restarting TMM, and will temporarily halt all traffic processing. You should perform this procedure during a planned maintenance window. Depending on your application environment, modifying these TCP profile settings may impact the performance of the associated virtual server. Additionally, modifying the TCP profile of a virtual server while it is processing traffic may have an adverse impact on the performance of the affected virtual server. F5 recommends that you perform adequate testing in your application environment, and implement the changes during an appropriate maintenance period.
tmsh
modify sys db tm.tcpprogressive value enable
modify ltm profile tcp <affected tcp profile name> init-cwnd 1 slow-start enabled
For example, you would type the following command to set these settings for the mytcpprof profile:
modify ltm profile tcp mytcpprof init-cwnd 1 slow-start enabled
save sys config partitions all
restart /sys service tmm
Supplemental Information
CPE | Name | Operator | Version |
---|---|---|---|
big-ip afm | le | HF7 | |
big-ip ltm | le | HF7 | |
big-ip aam | le | HF7 | |
big-ip gtm | le | HF7 | |
big-ip asm | le | HF7 | |
big-ip apm | le | HF7 | |
big-ip pem | le | HF7 | |
big-ip webaccelerator | le | HF15 | |
big-ip wom | le | HF15 | |
big-ip analytics | le | HF7 |
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/10000/000/sol10025.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/7000/500/sol7559.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html
support.f5.com/kb/en-us/solutions/public/k/13/sol13924148.html
support.f5.com/kb/en-us/solutions/public/k/70/sol70025261.html