F5 Security Team Responds to Vulnerability in the Cloud
F5 offers extensive options for deploying applications in the cloud, and we have a long list of “F5 Ready” cloud providers to choose from. We are continually testing and hardening the security on these platforms, and in our latest tests we found a vulnerability on AWS, Azure, and Verizon cloud services environments. Our Security Team here at F5 quickly responded with tons of great information for any affected users.
CVE-2016-2084 affects key and certificate regeneration and impacts the BIG-IP and BIG-IQ products when these products are deployed in the AWS, Microsoft Azure, or Verizon cloud services environments. This vulnerability does not impact other cloud environments, BIG-IP or BIG-IQ hardware, hypervisor-based Virtual Edition (VE), or Virtual Clustered Multiprocessing (vCMP) (host or guest) deployments. Other cloud environments are not affected due to the differences in the generation of the specific cloud images. F5 discovered this vulnerability through internal testing, and there are no known exploits at this time.
In the affected versions of these BIG-IP and BIG-IQ cloud instances, certificates and keys are not properly regenerated when deployed, and that results in multiple instances sharing the same certificates and keys. We understand this is a big deal, and we created a Solution Page that outlines the exact details of the vulnerability along with download scripts and instructions for remediation. Be sure to check the solution page early and often for any updates that are released.
F5 also has an extensive policy for responding to security vulnerabilities if you want to know more about our approach to vulnerability categorization, scoring, announcements, and remediation.