For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

vishnu_agrawal_'s avatar
vishnu_agrawal_
Icon for Nimbostratus rankNimbostratus
Oct 07, 2014

ShellShock: For our customers, Could you please provide us a PATCH instead of going for an upgrade ?

Hi,

 

We have our customers having the products in the version " BIG-IP 10.2.4". The solution provided in the f5 website is to upgrade every products in the vulnerable version "10.2.4" to 11.6HF1 version. (PS: GNU Bash vulnerabilities CVE-2014-6271 and CVE-2014-7169 http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html )

 

Since all the servers are in production so they are hesitant to upgrade it to higher version(i.e. to 11.6). Could you please provide us a PATCH instead of going for an upgrade to help us deploying in all the servers and thus fixing the issue?

 

Kind Regards, Vishnu Mob: +65 97714970

 

application delivery
BIG-IP DNS
LTM
security

7 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 07, 2014

    Since all the servers are in production so they are hesitant to upgrade it to higher version(i.e. to 11.6). Could you please provide us a PATCH instead of going for an upgrade to help us deploying in all the servers and thus fixing the issue?

     

    as you have been informed, product development team is working on it but there is no eta yet. it will be included in hf9.

     

  • vishnu_agrawal_'s avatar
    vishnu_agrawal_
    Icon for Nimbostratus rankNimbostratus
    Oct 07, 2014

    Thanks for your prompt response.

     

    Is it not that first the patch is developed?

     

    Anyone who go for the upgrade once, will not need the patch further.

     

    Kindly suggest if we should wait for you to provide the patch or go with an upgrade(which is not so easy since they are in production).

     

  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Oct 08, 2014

    Depends on complexity of your setup.

     

    We had issues in the past going from 10.2 to 11.0, but had no issues going from 11.2 to 11.5.0 (although that wasn't as much of a direct upgrade as it was migration to vCMP by moving config manually).

     

    If you can spin up a virtual F5 to your active version (not allowing network access for anything except management, and changing the management address), then do the upgrade to 11.6 HF1 and see how it goes.

     

    But as nitass said, they have patches for the latest versions, but older versions should be patched, but are likely to have a lower priority as it's old code.

     

  • vishnu_agrawal_'s avatar
    vishnu_agrawal_
    Icon for Nimbostratus rankNimbostratus
    Oct 09, 2014

    Thanks Andrew. I got a mail from f5 customer support as below: "Hi Vishnu,

     

    Hot fix for 10.2.4 (HF9) with security patches is expected to be released in next few days.

     

    I will update you once it is available.

     

    Please feel free to contact us should you have any questions or require any assistance."

     

    So, please confirm if it is expected in next few days and we should still wait for it?

     

    Kind Regards, Vishnu Agrawal

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 09, 2014

    i am not in development team but i understand the hotfix is in testing phase and would be available soon.

     

  • vishnu_agrawal_'s avatar
    vishnu_agrawal_
    Icon for Nimbostratus rankNimbostratus
    Oct 16, 2014

    Hi I have downloaded the patch and read the installation procedure:

     

    https://support.f5.com/kb/en-us/solutions/public/10000/000/sol10025.htmlImporting_the_hotfix_files_to_the_BIG-IP_system

     

    I have a question on the Fallback scenario or Reverting to a previous hotfix version

     

    I have read the article:

     

    In BIG-IP 10.x, you no longer use a hotfix uninstall package to remove a hotfix installation. Instead, if you need to revert to the previous hotfix version, you can boot to the formerly active boot location containing the previous hotfix installation. For example, if you installed BIG-IP 10.2.2 HF3 on an inactive boot location from a 10.2.2 HF1 boot location and you want to revert from HF3 to HF1, you would boot back to the 10.2.2 HF1 boot location. To do so using the Configuration utility, browse to System > Software > Boot Locations and activate the desired boot location. //

     

    But note that "10.2.2 HF1 boot location" is already CORRUPTED with HF3 . So in this case, I WON'T be having a good boot of "10.2.2 HF1" which I want.

     

    Just for example:

     

    Current boot image:

     

    HD1.1 - title BIG-IP 10.1.0 Build 3341.0

     

    Default boot image:

     

    HD1.1 - title BIG-IP 10.1.0 Build 3341.0

     

    Available boot image(s):

     

    HD1.1 - title BIG-IP 10.1.0 Build 3341.0

     

    HD1.2 - title BIG-IP 10.0.1 Build 354.0

     

     

    Note that my current Boot image is HD1.1 and HD1.2 is the older version not in use. Now, I made HD1.1 as inactive and HD1.2 active and installed the hotfix. If I want to revert now to HD1.1 how can I do it? As, you see HD1.1 is already corrupted with the hotfix I installed just now. And HD1.2 is no longer in use and is in very old version which we were not using.

     

    Please help me to figure this out.

     

  • vishnu_agrawal_'s avatar
    vishnu_agrawal_
    Icon for Nimbostratus rankNimbostratus
    Oct 16, 2014

    For reverting to original version/ Fallback procedure, what I can say for 11.x version is more meaningful and explainatory. Link below: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13123/

     

    But why doesn't the same fallback procedure applies for version 10.2.4 to install HF9 ?

     

    Please let me know the correct/exact Fallback procedures as I am preparing to test on staging.

     

    Thanks & Regards, Vishnu