Applies To:

Show Versions Show Versions

sol14468: Client-side component flaw - CVE-2013-0150
Security AdvisorySecurity Advisory

Original Publication Date: 06/26/2013
Updated Date: 06/26/2013

Description

A flaw in a BIG-IP APM or FirePass client-side F5-signed component may allow a third party to install files on the client machine.

Impact

Affected components may allow third party code execution on the affected client. There is no impact to the BIG-IP or FirePass host. 

Status

F5 Product Development has assigned ID 420104 to this vulnerability.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM 10.1.0 - 10.2.4
11.0.0 - 11.3.0

9.0.0 - 9.6.1
10.0.0
10.2.4-HF7
11.1.0-HF8
11.2.0-HF7
11.2.1-HF7
11.3.0-HF6
11.4.0
Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
BIG-IP AAM None 11.4.0 None
BIG-IP AFM 11.3.0 11.3.0-HF6
11.4.0
Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
BIG-IP Analytics 11.0.0 - 11.3.0
11.1.0-HF8
11.2.0-HF7
11.2.1-HF7
11.3.0-HF6
11.4.0
Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
BIG-IP APM 10.1.0 - 10.2.4
11.0.0 - 11.3.0
10.2.4-HF7
11.1.0-HF8
11.2.0-HF7
11.2.1-HF7
11.3.0-HF6
11.4.0
Client-side components
BIG-IP ASM 10.1.0 - 10.2.4
11.0.0 - 11.3.0
9.2.0 - 9.4.8
10.0.0
10.2.4-HF7
11.1.0-HF8
11.2.0-HF7
11.2.1-HF7
11.3.0-HF6
11.4.0
Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
BIG-IP Edge Gateway
10.1.0 - 10.2.4
11.0.0 - 11.3.0
10.2.4-HF7
11.1.0-HF8
11.2.0-HF7
11.2.1-HF7
11.3.0-HF6
11.4.0
Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
BIG-IP GTM 10.1.0 - 10.2.4
11.0.0 - 11.3.0
9.2.2 - 9.4.8
10.0.0
10.2.4-HF7
11.1.0-HF8
11.2.0-HF7
11.2.1-HF7
11.3.0-HF6
11.4.0
Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
BIG-IP IQ None 4.0.0 None
BIG-IP Link Controller 10.1.0 - 10.2.4
11.0.0 - 11.3.0
9.2.2 - 9.4.8
10.0.0
10.2.4-HF7
11.1.0-HF8
11.2.0-HF7
11.2.1-HF7
11.3.0-HF6
11.4.0
Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
BIG-IP PEM 11.3.0

11.3.0-HF6
11.4.0
Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
BIG-IP PSM 10.1.0 - 10.2.4
11.0.0 - 11.3.0
9.4.5 - 9.4.8
10.0.0
10.2.4-HF7
11.1.0-HF8
11.2.0-HF7
11.2.1-HF7
11.3.0-HF6
11.4.0
Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
BIG-IP WebAccelerator 10.1.0 - 10.2.4
11.0.0 - 11.3.0
9.4.0 - 9.4.8
10.0.0
10.2.4-HF7
11.1.0-HF8
11.2.0-HF7
11.2.1-HF7
11.3.0-HF6
Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
BIG-IP WOM 10.1.0 - 10.2.4
11.0.0 - 11.3.0
10.0.0
10.2.4-HF7
11.1.0-HF8
11.2.0-HF7
11.2.1-HF7
11.3.0-HF6

Client-side components are present on vulnerable host, but components only installed on clients when APM is provisioned
ARX None 5.0.0 - 5.3.1
6.0.0 - 6.3.0
None
Enterprise Manager None 1.6.0 - 1.8.0
2.0.0 - 2.3.0
3.0.0 - 3.1.1
None
FirePass 6.0.0 - 6.1.0
7.0.0
6.1.0 HF-420103-1
7.0.0 HF-420103-1
None
Client-side components

Recommended action

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table.  A fixed client component will automatically be downloaded the next time a client is authenticated to the APM or FirePass host.

Acknowledgments

F5 would like to acknowledge Neal Poole for bringing this issue to our attention, and for following the highest standards of responsible disclosure.

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)