F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

GDC1-TRG-F5's avatar
GDC1-TRG-F5
Icon for Altocumulus rankAltocumulus
Sep 11, 2024

F5 CVE 2024 43102

Anyone Kindly help to assessment on this CVE 2024 43102 on F5 LTM. Do this affect f5 devices if yes, what mitigation can be followed.  
security
AaronJB's avatar
AaronJB
Ret. Employee
Sep 11, 2024

A quick point of clarity as I see this confusion quite often;

F5 Quarterly Security Notifications are only for F5 vulnerabilities (which we call "first-party"); that is, vulnerabilities which exist within code F5 has authored, things like TMM, big3d, the Configuration Utility etc.

Third-party vulnerabilities - CVEs in libraries like OpenSSL, components like Apache, Tomcat, or the underlying operating system kernel (Linux) - are disclosed as and when they are analysed by F5 (usually soon after disclosure by the third party). You can read more about what triggers an analysis and how we evaluate third-party vulnerabilities in K4602 and its companion article, K000133035.

 

In short, the F5 QSNs have no relation to this CVE (CVE-2024-43102) and no bearing on our publishing a Security Advisory or otherwise.

 

Ordinarily I would stress that the right course of action, if you have a question about a CVE and there is no Security Advisory on MyF5 yet, is to open a support case and request evaluation be performed so that an Advisory can be published. In this case, though, we would not publish an Advisory as F5 does not use FreeBSD in any of its products.

You can check this by looking for the article relevant to your product, here: K121: Base operating systems of F5 products

 

In short; No, F5 products are not impacted. F5 uses CentOS 7.x for all supported versions of BIG-IP up to v17.1 and Ubuntu 22.04 for BIG-IP v20.x.