TMOS Version Update Paths
On March 10, 2021, F5 announced several CVEs, four of which are criticals. All messaging around the vulnerabilities is summarized and will be updated as necessary on this landing page on f5.com. The overview for all of the announced vulnerabilities (as well as the details for each, which are linked) can be found here on AskF5 . The criticals are linked below.
- K03009991: iControl REST Unauthenticated remote command execution vulnerability CVE-2021-22986
- K18132488: Appliance Mode TMUI Authenticated remote command execution vulnerability CVE-2021-22987
- K56715231: TMM Buffer Overflow vulnerability CVE-2021-22991
- K52510511: Advanced WAF/ASM Buffer Overflow vulnerability CVE-2021-22992
Even if some of the vulnerabilities aren’t trivial to exploit, not all of them have a practical mitigation. Therefore, if you have a vulnerable version the recommendation is to update TMOS as soon as possible. Pete White released an iApp to the codeshare that will display a table of the announced vulnerabilities that your specific BIG-IP is impacted by, so check that out as well.
TMOS Update Resources
Back in November, Emily Yale joined John and I on DevCentral Connects and one of the interesting personal tidbits she shared is that she climbed Kilimanjaro! While that’s amazing by itself, it’s also interesting that there are seven different routes all over the geography of the mountain by which you can summit. Many paths -> one goal.
The same is true for updating TMOS. Before covering the various paths you might take, a couple notes:
- An update is a point release (x.x.x.x). An example would be updating from 13.1.3.5 to 13.1.3.6, or 16.0.1 to 16.0.1.1. For details on F5’s software lifecycle policy, please see K8986. A point release is the safest course of action as no changes to existing default behaviors are introduced.
- As stated in K7727, a point release does not require a license update. If you move major versions, however, know that that is an upgrade, not and update, and a license check is necessary! Plan accordingly and perform your license checks before installing the config and rebooting into your upgraded partitions.
- There are resources appropriate to each of the update paths in the sections below, but there’s a new deployment guide on BIG-IP updates/upgrades on F5.com that provides a cohesive view of the various related AskF5 knowledge articles. I highly recommend adding that to your toolbox! The BIG-IP Fundamentals courses Upgrading a BIG-IP System and Using TCPDUMP on the BIG-IP System courses have also been made available for free on LearnF5.
And now onward to the journey to summit the TMOS update experience!
Updating TMOS with BIG-IQ
In this demo, Kyle Oliver covers the ease in which BIG-IQ can manage the BIG-IP updates.
This video from AskF5 shows the process as well in a little more formal presentation with a little less Jason and John!
Resources
- K84205182: BIG-IP upgrade guide | Chapter 1: Guide contents
- K14812626: BIG-IP upgrade guide | Chapter 9: Upgrade BIG-IP systems using BIG-IQ
- How to run bash scripts on devices that BIG-IQ manages (Youtube)
Updating TMOS with Ansible F5 Modules
This demo from Sebastian Maniak highlights how easy it is to update BIG-IP with Ansible F5 Modules. His playbook is on display and linked below in the resources.
Resources
- K84205182: BIG-IP upgrade guide | Chapter 1: Guide contents
- K89192130: BIG-IP upgrade guide | Chapter 18: Using F5 Modules for Ansible to upgrade BIG-IP system software
- Sebastian Maniak’s Ansible Playbook (from the demo)
Updating TMOS with iControl REST
Satoshi provided great guidance to users in Q&A (linked below) on how to install the update and copy over the active configuration to the new slot. This does not detail how to get TMOS onto the systems, however. That can also be done on the cli via curl, but the idea here is to glean the install and config details from the iControl REST interface and work those into a polished script in the language of your choice so you can automate the process for all your devices.
# Install TMOS
curl -sku admin: https://mgmt/tm/sys/software/image \
-X POST -H "Content-type: application/json" \
-d '{"command":"install", "name":"BIGIP-13.1.0.0.0.1868.iso", "volume":"HD1.3"}'
# Copy config to new slot
curl -sku : https://mgmt/tm/util/bash \
-X POST -H "Content-Type: application/json" \
-d '{"command":"run", "utilCmdArgs":"-c \"cpcfg --source=HD1.2 HD1.3\""}'
As TMOS installation is a long-lived task, you’d want to verify the installation as well (endpoint in this example would be /mgmt/tm/sys/software/volume/HD1.3) by checking the version and status attributes. Some attributes from the JSON below removed for brevity.
{
"name": "HD1.3",
"selfLink": "https://localhost/mgmt/tm/sys/software/volume/HD1.3?ver=15.1.0.5",
"basebuild": "0.0.4",
"build": "0.0.4",
"product": "BIG-IP",
"status": "complete",
"version": "13.1.1.5",
}
If you don't yet have BIG-IQ or Ansible in your environment, this might be a good option for you in the interim and shouldn’t take long to put together.
Resources
- DevCentral Q&A - How to upgrade F5 BIG-IP 3600 through API REST?
- DevCentral Q&A - Cpcfg Copy Config equivalent in REST
- DevCentral Codeshare - Download a UCS archive with curl (working with files and curl - needs modification)
Updating TMOS Manually
This option is totally doable if you have a few devices, and you likely have everything you need to knock this out so I’ll just link the upgrade guide again and call it good. But if you’re trending north of that line, you really ought to investigate an automation path with one of the approaches outlined above. If any of them are a possibility for you, don’t fret! The community is here to help. Post a comment below or ask a question in Q&A!
Published Mar 10, 2021
Version 1.0
JRahm
Admin
AdminJRahmAdmin
Admin
PeteWhiteEmployee
I have provided a simple iApp to show you in a table whether your device is vulnerable to the CVEs. Take a look at https://devcentral.f5.com/s/articles/CVE-2021-Checker-iApp?page=1
- JRahm
Right on, !!
