For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bc81987's avatar
bc81987
Icon for Nimbostratus rankNimbostratus
May 15, 2024

CWE-20: Improper Input Validation

Good afternoon,   We've recently had a burp suite scan done on our F5 pair. This was the result: The application may be vulnerable to DOM-based DOM data manipulation. Data is read from window.loc...
security
Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
May 15, 2024

Thanks for the question. Was there a URL associated with this error report? Are you using APM? Did you provide the scanner logon credentials so it could authenticate to the admin GUI or APM end-user logon page?

I do see a helper function that's used in the APM end-user logon page, decision box page, and endpoint-inspector status page that might trigger this alert, but it doesn't seem to be used in a way that's exploitable.

 

Vulnerability reports can be concerning. If you'd like a faster or tracked response on this question, get as many details as you can and please feel free to open a support ticket:
https://my.f5.com/manage/s/article/K2633

 

  • bc81987's avatar
    bc81987
    Icon for Nimbostratus rankNimbostratus
    May 16, 2024

    Yes there is a URL and we're using APM. Scanner has logon credentials. Everything seems to be working as intended. The issue is how to resolve this. Will an update from "BIG-IP v15.1.10.3 (Build 0.0.12)" work. If so, what version?

    I have a ticket in with F5, but I haven't heard back from the solution engineer since 5/8. I'll reach out again.

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Jun 03, 2024

      Did you hear something from F5 support?

       

      Without exact details it is going to be difficult to say something here.