For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

lewas_315823's avatar
lewas_315823
Icon for Nimbostratus rankNimbostratus
Mar 30, 2017

Understanding 'Versions known to be not vulnerable' in Security Advisories

Hallo,

 

I'm trying to understand the implications of the choice of vulnerable versions in F5 Networks Security Advisories. I frequently see entries like:

 

Product / Versions known to be vulnerable / Versions known to be not vulnerable

 

BIG-IP PSM / 11.4.0 - 11.4.1 / None

 

[https://support.f5.com/csp/article/K90803619]

 

So there are no fixes for this CVE in BIG-IP PSM 11.4.0 despite newer versions for BIG-IP PSM (12.1.2, 13.0.0) that are not listed as vulnerable.

 

My question aims at the logic for the column 'Versions known to be not vulnerable'. Are the versions listed there chosen only from the same branch of the versions listed as 'Versions known to be vulnerable'? Would You recommend a user of BIG-IP PSM 11.4.0 an upgrade to a version of another branch like 12.1.2 in this case?

 

BIG-IP
security

2 Replies

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Mar 30, 2017

    I think this is something that F5 Engineers can answer with authority. My understanding of "none" is that there is no available code version that is not vulnerable. So, even if you upgrade to 12.1.2, you will still be vulnerable.

     

  • CharlesCS's avatar
    CharlesCS
    Icon for Cirrus rankCirrus
    Apr 01, 2017

    PSM was deprecated starting in version 11.5.0, and its functions were divided between AFM and ASM. This is why there are no later versions shown in the "not vulnerable" column.