CVE-2021 Checker iApp
Problem this snippet solves:
Overview
This iApp shows you at a glance the vulnerability status of your BIG-IP against the March 2021 CVEs. This is based on the software version mainly and the modules provisioned, appliance mode etc, it does not look at your configuration in detail so it is only to be used as a guide. For instance, it does not check whether you are actually using APM, or SNAT, or HTTP/2.
There are two reports - the at-a-glance report on the Critical CVEs, and a more detailed HTML report created in the /var/tmp directory of the device which shows all of the BIG-IP CVEs and performs more detailed checks.
Summary Report
Detailed Report
How to use this snippet:
Download the file and extract to a local directory
Install the template as normal:
- login to the BIG-IP TMUI and go to iApps>Templates>Templates.
- Click on Import ( on the right hand side)
- Select the cve-checker-2021.tmpl file and hit Upload
To see the report, create an app using this template
- Go to iApps>Application Services>Applications
- Click on Create ( on the right hand side )
- From Template, select cve-checker-2021
- View summary report in this window
- Add a name for the application and Hit Finished
- Retrieve report from /var/tmp
- To refresh the report, go to Reconfigure and hit Finished again
If you find any bugs or issues with this then feel free to PM me here
This code has been developed and tested in a lab so you use it at your own risk. If you have used it and found it to be accurate, or have suggestions for further development then please PM me
Tested this on version:
13.1- PeteWhiteEmployee
Thanks for the info Sajid, I’ll take a look.
- SajidCirrostratus
After upgrade 14.1.4, still getting
CVE-2021-22999 CVSS score: 5.9 (Medium)
Vulnerability info
K02333782: BIG-IP HTTP/2 vulnerability CVE-2021-22999
The BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed.
Vulnerable
The software version is vulnerable. You should update to TMOS v14.1.4 as soon as possible.
Impact
A remote attacker may cause the Traffic Management Microkernel (TMM) to leak memory and, over time, consume excessive system resources, leading to slow operation and eventual failover to a standby host.
- PeteWhiteEmployee
Thanks again Manuel, you are now the official quality tester haha. Updated to correct this, I will later improve the way that the summary report does the checks as it could be more efficient.
- Manuel_RodrigueNimbostratus
Thanks Pete.
I tried again and found other inaccuracies.
About CVE-2021-22986 the output is:
YES. You should update to a fixed version asap. See https://support.f5.com/csp/article/K03009991 for further details
About CVE-2021-22991 the output is:
MAYBE. Your software is generally vulnerable but there are specific circumstances in different modules so you need to investigate this further. See https://support.f5.com/csp/article/K56715231 for further details
But, CVE-2021-22986 and CVE-2021-22991 are not applicable for version 11.x
Could you verify?
Thanks again!
- PeteWhiteEmployee
Great, thanks for testing it Manuel. I have just updated it so it supports v11 so maybe you can try again. I have also improved the appliance mode checking and made the software version checking a bit simpler and hopefully more accurate
- Manuel_RodrigueNimbostratus
Very good stuff!
But, I have the version:
BIG-IP 11.6.5.2 Build 0.0.10 Point Release 2
I get the following error:
Error parsing template:can't eval proc: "script::run" version conflict for package "iapp": have 1.1.2, need 1.3.0 while executing "package require iapp 1.3.0" (procedure "script::run" line 2) invoked from within "script::run" line:1
Thank you!
- PeteWhiteEmployee
I have been doing some testing - Appliance Mode checking is to be improved, and CVE-2021-22999 is slightly inaccurate so needs checking