SOL61974123 - ImageMagick vulnerability CVE-2016-3718

2016-05-1300:00:00

support.f5.com

0.971 High

EPSS

Percentile

99.8%

JSON

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

BIG-IP/BIG-IQ/Enterprise Manager

To mitigate this vulnerability, you can disable the vulnerable ImageMagick coders in the global policy file**/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:

Impact of action: Performing the following procedure should not have a negative impact on your system.

Log in to the command line of the affected system.
Back up the ImageMagickglobal policy file by typing the following command:

cp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.sol61974123

Edit the ImageMagickglobal policy file using a text editor of your choice, for example vi.
Include the vulnerable ImageMagickcoders in the policymap stanza. For example, if theHTTPcoder is vulnerable, you would include the following line in thepolicymap stanza:

Since the vulnerable coders listed in CVE-2016-3718 are HTTP and FTP, the modified policymap stanza should look similar to the following example:

Save the changes and exit the text editor.

Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4602: Overview of the F5 security vulnerability response policy
SOL4918: Overview of the F5 critical issue hotfix policy
SOL03151140: ImageMagick vulnerability CVE-2016-3714
SOL10550253: ImageMagick vulnerability CVE-2016-3715
SOL25102203: ImageMagick vulnerability CVE-2016-3716
SOL29154575: ImageMagick vulnerability CVE-2016-3717
The Accelerating Images with Image Optimization chapter of the BIG-IP Acceleration: Implementations guide

Note: For information about how to locate F5 product guides, refer to SOL12453464: Finding product documentation on AskF5.

CPENameOperatorVersion
big-iq securityle4.5.0
big-ip edge gatewayle11.3.0
big-iq cloud and orchestrationle1.0.0
big-ip webacceleratorle11.3.0
big-ip aamle12.1.1
big-iq cloudle4.5.0
big-iq devicele4.5.0
big-iq adcle4.5.0
enterprise managerle3.1.1
big-iq centralized managementle4.6.0

Name	Operator	Version
big-iq security	le	4.5.0
big-ip edge gateway	le	11.3.0
big-iq cloud and orchestration	le	1.0.0
big-ip webaccelerator	le	11.3.0
big-ip aam	le	12.1.1
big-iq cloud	le	4.5.0
big-iq device	le	4.5.0
big-iq adc	le	4.5.0
enterprise manager	le	3.1.1
big-iq centralized management	le	4.6.0