Forum Discussion

Ken_A_'s avatar
Ken_A_
Icon for Nimbostratus rankNimbostratus
Mar 26, 2021

Vulnerabilities in Big-IP 10.2.4, 9.4.8, and 9.4.3

I'm trying to find information on whether or not the F5 servers we are running are vulnerable to the Security Advisory K02566623: Overview of F5 vulnerabilities (March 2021). We are running Big-IP v...
ASM Advanced WAF
BIG-IP
LTM
security
ssl
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Mar 26, 2021

Citing from K4602: Overview of the F5 security vulnerability response policy:

"When a vulnerability is publicly disclosed, F5 is committed to evaluating the software versions that have not yet reached End of Technical Support (EoTS), as indicated in the software support policy articles for each product. For more information, refer to F5 software products currently supported with active development in K8986: F5 software lifecycle policy.

When critical vulnerabilities are discovered, F5 implements, tests, and releases security hotfixes for the supported software versions, where technically feasible. For additional information regarding the F5 critical issue hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy."

 

As stated in K5903: BIG-IP software support policy all the software you are running is EoTS.

In other words: F5 will not check whether or not the software you are running is vulnerable.

 

I recommend you start from here:

K13845: Overview of supported BIG-IP upgrade paths and an upgrade planning reference

and here:

AskF5's new BIG-IP upgrade guide

 

Good luck! If you get stuck, come here and ask for help. :)