Forum Discussion

rglus6970_30822's avatar
rglus6970_30822
Icon for Nimbostratus rankNimbostratus
Aug 02, 2018

Managing Vulnerabilities

I have some questions about vulnerability management which I have been struggling with that hopefully someone can help with. Sometimes our vulnerability management system (Nexpose) shows assets under...
LTM
security
rglus6970_30822's avatar
rglus6970_30822
Icon for Nimbostratus rankNimbostratus
Aug 02, 2018

I am going to reply to my own question as I probably should have read the Article a little closer.

 

https://support.f5.com/csp/article/K13114

 

Vulnerable component or feature Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers

 

I am not on a vulnerable image: Versions known to be Not Vulnerable 11.1.0 and later

 

So I think this is a tagging issue with our Vuln Management system. I guess if anyone responds, do you think this is still an issue with F5 or an issue with Nexpose?

 

  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Aug 04, 2018

    Your vulnerability managing system is correctly reporting that there is a vulnerability, but in this case it's a vulnerability on the back end system that is being exposed through the BigIP. The correct place to patch this is in the back end system. Patching the BigIP, even if possible, would do nothing to patch the vulnerability your scanner is seeing, as we are simply passing on the vulnerable code from the back end.