Forum Discussion
F5 CVE 2024 43102
A quick point of clarity as I see this confusion quite often;
F5 Quarterly Security Notifications are only for F5 vulnerabilities (which we call "first-party"); that is, vulnerabilities which exist within code F5 has authored, things like TMM, big3d, the Configuration Utility etc.
Third-party vulnerabilities - CVEs in libraries like OpenSSL, components like Apache, Tomcat, or the underlying operating system kernel (Linux) - are disclosed as and when they are analysed by F5 (usually soon after disclosure by the third party). You can read more about what triggers an analysis and how we evaluate third-party vulnerabilities in K4602 and its companion article, K000133035.
In short, the F5 QSNs have no relation to this CVE (CVE-2024-43102) and no bearing on our publishing a Security Advisory or otherwise.
Ordinarily I would stress that the right course of action, if you have a question about a CVE and there is no Security Advisory on MyF5 yet, is to open a support case and request evaluation be performed so that an Advisory can be published. In this case, though, we would not publish an Advisory as F5 does not use FreeBSD in any of its products.
You can check this by looking for the article relevant to your product, here: K121: Base operating systems of F5 products
In short; No, F5 products are not impacted. F5 uses CentOS 7.x for all supported versions of BIG-IP up to v17.1 and Ubuntu 22.04 for BIG-IP v20.x.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com