CVE-2021 Checker iApp

Problem this snippet solves:





Overview

This iApp shows you at a glance the vulnerability status of your BIG-IP against the March 2021 CVEs. This is based on the software version mainly and the modules provisioned, appliance mode etc, it does not look at your configuration in detail so it is only to be used as a guide. For instance, it does not check whether you are actually using APM, or SNAT, or HTTP/2.


There are two reports - the at-a-glance report on the Critical CVEs, and a more detailed HTML report created in the /var/tmp directory of the device which shows all of the BIG-IP CVEs and performs more detailed checks.


Summary Report


Detailed Report

How to use this snippet:

Download the file and extract to a local directory

Install the template as normal:

  1. login to the BIG-IP TMUI and go to iApps>Templates>Templates.
  2. Click on Import ( on the right hand side)
  3. Select the cve-checker-2021.tmpl file and hit Upload

To see the report, create an app using this template

  1. Go to iApps>Application Services>Applications
  2. Click on Create ( on the right hand side )
  3. From Template, select cve-checker-2021
  4. View summary report in this window
  5. Add a name for the application and Hit Finished
  6. Retrieve report from /var/tmp
  7. To refresh the report, go to Reconfigure and hit Finished again


If you find any bugs or issues with this then feel free to PM me here


This code has been developed and tested in a lab so you use it at your own risk. If you have used it and found it to be accurate, or have suggestions for further development then please PM me


Tested this on version:

13.1
Published Mar 11, 2021
Version 1.0
application delivery
cve-2021
iApps

Was this article helpful?

7 Comments

Sort By
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Mar 14, 2021

    I have been doing some testing - Appliance Mode checking is to be improved, and CVE-2021-22999 is slightly inaccurate so needs checking

  • Manuel_Rodrigue's avatar
    Manuel_Rodrigue
    Icon for Nimbostratus rankNimbostratus
    Mar 15, 2021

    Very good stuff!

    But, I have the version: 

         BIG-IP 11.6.5.2 Build 0.0.10 Point Release 2

    I get the following error:

    Error parsing template:can't eval proc: "script::run" version conflict for package "iapp": have 1.1.2, need 1.3.0 while executing "package require iapp 1.3.0" (procedure "script::run" line 2) invoked from within "script::run" line:1

    Thank you!

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Mar 15, 2021

    Great, thanks for testing it Manuel. I have just updated it so it supports v11 so maybe you can try again. I have also improved the appliance mode checking and made the software version checking a bit simpler and hopefully more accurate

  • Manuel_Rodrigue's avatar
    Manuel_Rodrigue
    Icon for Nimbostratus rankNimbostratus
    Mar 15, 2021

    Thanks Pete.

    I tried again and found other inaccuracies.

     

    About CVE-2021-22986 the output is:

    YES. You should update to a fixed version asap. See https://support.f5.com/csp/article/K03009991 for further details

     

    About CVE-2021-22991 the output is:

    MAYBE. Your software is generally vulnerable but there are specific circumstances in different modules so you need to investigate this further. See https://support.f5.com/csp/article/K56715231 for further details

     

    But, CVE-2021-22986 and CVE-2021-22991 are not applicable for version 11.x 

     

    Could you verify?

     

    Thanks again!

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Mar 15, 2021

    Thanks again Manuel, you are now the official quality tester haha. Updated to correct this, I will later improve the way that the summary report does the checks as it could be more efficient.

  • Sajid's avatar
    Sajid
    Icon for Cirrostratus rankCirrostratus
    Mar 19, 2021

    After upgrade 14.1.4, still getting

     

    CVE-2021-22999 CVSS score: 5.9 (Medium)

    Vulnerability info

    K02333782: BIG-IP HTTP/2 vulnerability CVE-2021-22999

    The BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed.

     

    Vulnerable

    The software version is vulnerable. You should update to TMOS v14.1.4 as soon as possible.

    Impact

    A remote attacker may cause the Traffic Management Microkernel (TMM) to leak memory and, over time, consume excessive system resources, leading to slow operation and eventual failover to a standby host.