Forum Discussion

irbk's avatar
irbk
Icon for Cirrus rankCirrus
Nov 17, 2023

Help understanding iHealth status

I've just uploaded a new qkview to iHealth and I'm looking at it and I'm really confused.  I thought iHealth was supposed to help me understand how the health of my BigIP was but either iHeath is giving me bad information or I don't understand how to read it.  
My diagnostics says I have 3 High priority things to look at.

So I click to look into the items.  Very first item is "BIG-IP HTTP/2 vulnerability CVE-2023-40534".  I click into the article link to see what the fix is https://my.f5.com/manage/s/article/K000133467 and I can see that the fix is included in versions 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.23.4-ENG and above. 

I just recently upgraded from 17.1.0.3 Point Release 3 0.0.4 to 17.1.0.3 Engineering Hotfix 0.75.4 and according to the article "After a fix is introduced for a given minor branch, that fix applies to all subsequent maintenance and point releases for that branch" so why am I seeing this as a high priority fix to be applied?   Is my iHeath not showing me the correct information or am I just not reading it correctly?

 

 

  • irbk It is possible that it doesn't have the fix and in this situation I would open a case with F5 pointing out the issue and see what they say.

    • irbk's avatar
      irbk
      Icon for Cirrus rankCirrus

      I suppose that's possible but it says right in the note above the table "After a fix is introduced for a given minor branch, that fix applies to all subsequent maintenance and point releases for that branch, and no additional fixes for that branch will be listed in the table. For example, when a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all later 14.1.x releases" which makes me believe that a fix in versions 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.23.4-ENG would be included in 17.1.0.3 Engineering Hotfix 0.75.4.  I'll open up a ticket and ask.

  • Well, according to support, the answer is "because".  I really felt like I didn't get a straight answer out of support for this question.  Like I had to ask the same question 3 times before getting any kind of answer.  I'm not sure if they weren't understanding my question or if I wasn't understanding their answer.
    Apparently looking at diagnostics won't tell you what's wrong, only what *may* be an issue.  It's up to you to dig into each item and determine if you are effected by it.  Sort of deminishes the value of iHealth IMHO.  Also, apparently iHealth looks at ALL the software on your device, even non-active partitions.  It's good practice to keep the old software on the system as a roll back point.  Thus, 17.1.0.3 Point Release 3 0.0.4 is still on my system in a non-active partition.  The issue is detected in the 17.1.0.3 Point Release 3 0.0.4 which is on my system (though it's not an active partition) so that's also why I'm seeing it. 
    I just hope I never have to give this diagnostic page to an auditor.  I don't want to have to try and explain to the auditor that while the diag SAYS I have 3 critical vulnerabilites, I don't REALLY have them.  Then have to go through the process of proving it as well.
    I really want to see if deleting the non-active partition off my system will clear the error or not.  However my current plan is to always keep the older version on a non-active partition until it's time to upgrade to the next version.  IE 17.1.0.3 Point Release 3 0.0.4 will stay on my box until I'm ready to upgrade to 17.1.1 and only then in one of the first few steps in installing the 17.1.1, I delete the 17.1.0.3 partition. 

    • irbk That's a bummer that it looks at all partitions even if they aren't active. I'm the same as you, always keep the previous working partition until the next upgrade. If you feel that you have to delete the old one you should be fine as long as you have been running on the new one for some time without any issues. Typically auditors do not go off of iHealth but instead they do their own digging and as long as what they're looking for doesn't match anything you are fine. For instance, we got dinged for STP being enabled on the F5 because it could pass this information out of other routed interfaces but because we are in one-arm mode and not in path we don't really have to worry about it.