cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
PeteWhite
F5 Employee
F5 Employee

Problem this snippet solves:





Overview

This iApp shows you at a glance the vulnerability status of your BIG-IP against the March 2021 CVEs. This is based on the software version mainly and the modules provisioned, appliance mode etc, it does not look at your configuration in detail so it is only to be used as a guide. For instance, it does not check whether you are actually using APM, or SNAT, or HTTP/2.


There are two reports - the at-a-glance report on the Critical CVEs, and a more detailed HTML report created in the /var/tmp directory of the device which shows all of the BIG-IP CVEs and performs more detailed checks.


Summary Report

0151T0000040LitQAE.JPG


Detailed Report

0151T0000040M1HQAU.JPG

How to use this snippet:

Download the file and extract to a local directory

Install the template as normal:

  1. login to the BIG-IP TMUI and go to iApps>Templates>Templates.
  2. Click on Import ( on the right hand side)
  3. Select the cve-checker-2021.tmpl file and hit Upload

To see the report, create an app using this template

  1. Go to iApps>Application Services>Applications
  2. Click on Create ( on the right hand side )
  3. From Template, select cve-checker-2021
  4. View summary report in this window
  5. Add a name for the application and Hit Finished
  6. Retrieve report from /var/tmp
  7. To refresh the report, go to Reconfigure and hit Finished again


If you find any bugs or issues with this then feel free to PM me here


This code has been developed and tested in a lab so you use it at your own risk. If you have used it and found it to be accurate, or have suggestions for further development then please PM me


Tested this on version:

13.1
Comments
PeteWhite
F5 Employee
F5 Employee

I have been doing some testing - Appliance Mode checking is to be improved, and CVE-2021-22999 is slightly inaccurate so needs checking

Manuel_Rodrigue
Nimbostratus
Nimbostratus

Very good stuff!

But, I have the version: 

     BIG-IP 11.6.5.2 Build 0.0.10 Point Release 2

I get the following error:

Error parsing template:can't eval proc: "script::run" version conflict for package "iapp": have 1.1.2, need 1.3.0 while executing "package require iapp 1.3.0" (procedure "script::run" line 2) invoked from within "script::run" line:1

Thank you!

PeteWhite
F5 Employee
F5 Employee

Great, thanks for testing it Manuel. I have just updated it so it supports v11 so maybe you can try again. I have also improved the appliance mode checking and made the software version checking a bit simpler and hopefully more accurate

Manuel_Rodrigue
Nimbostratus
Nimbostratus

Thanks Pete.

I tried again and found other inaccuracies.

 

About CVE-2021-22986 the output is:

YES. You should update to a fixed version asap. See https://support.f5.com/csp/article/K03009991 for further details

 

About CVE-2021-22991 the output is:

MAYBE. Your software is generally vulnerable but there are specific circumstances in different modules so you need to investigate this further. See https://support.f5.com/csp/article/K56715231 for further details

 

But, CVE-2021-22986 and CVE-2021-22991 are not applicable for version 11.x 

 

Could you verify?

 

Thanks again!

PeteWhite
F5 Employee
F5 Employee

Thanks again Manuel, you are now the official quality tester haha. Updated to correct this, I will later improve the way that the summary report does the checks as it could be more efficient.

Sajid
Cirrostratus
Cirrostratus

After upgrade 14.1.4, still getting

 

CVE-2021-22999 CVSS score: 5.9 (Medium)

Vulnerability info

K02333782: BIG-IP HTTP/2 vulnerability CVE-2021-22999

The BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed.

 

Vulnerable

The software version is vulnerable. You should update to TMOS v14.1.4 as soon as possible.

Impact

A remote attacker may cause the Traffic Management Microkernel (TMM) to leak memory and, over time, consume excessive system resources, leading to slow operation and eventual failover to a standby host.

PeteWhite
F5 Employee
F5 Employee

Thanks for the info Sajid, I’ll take a look.

Version history
Last update:
‎11-Mar-2021 13:41
Updated by:
Contributors