AskF5 Knowledge Base
- Home
- SOL4369
Applies To:
Show Versions
sol4369: Configuration utility login vulnerability - CR45786
Security Advisory
Original Publication Date: 05/16/2007
Updated Date: 09/08/2010
Note: Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about F5 Networks' security policy regarding evaluating older and unsupported versions of F5 Networks products, refer to SOL4602: Overview of F5 Networks security vulnerability response policy.
F5 Networks products and versions that have been evaluated for this Security Advisory
| Product | Affected | Not Affected |
| BIP-IP / 3-DNS | None | 4.5.x 4.6.x |
| BIG-IP LTM | 9.0.2- 9.0.4 | 9.2.x 9.3.x 9.4.x 9.6.x 10.x |
| BIG-IP GTM | None | 9.2.x 9.3.x 9.4.x 10.x |
| BIG-IP ASM | None | 9.2 - 9.2.5 9.3 - 9.3.1 9.4 - 9.4.8 10.0.0 - 10.0.1 |
| BIG-IP Link Controller | None | 9.2.2 - 9.2.5 9.3 - 9.3.1 9.4 - 9.4.8 10.0.0 - 10.0.1 |
| BIG-IP WebAccelerator | None | 9.4.x 10.x |
| BIG-IP PSM | None | 10.x |
| BIG-IP WAN Optimization | None | 10.x |
| BIG-IP APM | None | 10.x |
| BIG-IP Edge Gateway | None | 10.x |
| BIG-IP SAM | None | 8.x |
| FirePass | None | 3.x 4.x 5.x 6.x 7.x |
| Enterprise Manager | None |
1.x |
| WANJet | None | 3.x 4.x 5.x |
| WebAccelerator | None | 5.x |
| ARX | None | 2.x 3.x 4.x 5.x |
BIG-IP versions 9.0.2 through 9.0.4 cache login credentials for the Configuration utility. Once a user is logged in, the cache does not check the password entered for additional sessions under that user name. As a result, it is possible to gain access to the BIG-IP Configuration utility without a password.
F5 Networks Product Development tracked this issue as CR45786 and it was fixed in BIG-IP version 9.0.5. For information about upgrading, refer to the BIG-IP LTM Release Notes.
