F5 CVE 2024 43102

A quick point of clarity as I see this confusion quite often;

F5 Quarterly Security Notifications are only for F5 vulnerabilities (which we call "first-party"); that is, vulnerabilities which exist within code F5 has authored, things like TMM, big3d, the Configuration Utility etc.

Third-party vulnerabilities - CVEs in libraries like OpenSSL, components like Apache, Tomcat, or the underlying operating system kernel (Linux) - are disclosed as and when they are analysed by F5 (usually soon after disclosure by the third party). You can read more about what triggers an analysis and how we evaluate third-party vulnerabilities in K4602 and its companion article, K000133035.

 

In short, the F5 QSNs have no relation to this CVE (CVE-2024-43102) and no bearing on our publishing a Security Advisory or otherwise.

 

Ordinarily I would stress that the right course of action, if you have a question about a CVE and there is no Security Advisory on MyF5 yet, is to open a support case and request evaluation be performed so that an Advisory can be published. In this case, though, we would not publish an Advisory as F5 does not use FreeBSD in any of its products.

You can check this by looking for the article relevant to your product, here: K121: Base operating systems of F5 products

 

In short; No, F5 products are not impacted. F5 uses CentOS 7.x for all supported versions of BIG-IP up to v17.1 and Ubuntu 22.04 for BIG-IP v20.x.

Hi GDC1-TRG-F5

 

This CVE is related to FreeBSD not F5, Also F5 SIRT Team hasn't published it in the last Quarterly Security Notification QSN Aug 2024, 

So while the CVE doesn't exist in F5 QSN, so BIGIP isn't Impacted or the CVE is non-related to F5 products.