On March 10, 2021, F5 announced several CVEs, four of which are criticals. All messaging around the vulnerabilities is summarized and will be updated as necessary on this landing page on f5.com. The overview for all of the announced vulnerabilities (as well as the details for each, which are linked) can be found here on AskF5 . The criticals are linked below.
Even if some of the vulnerabilities aren’t trivial to exploit, not all of them have a practical mitigation. Therefore, if you have a vulnerable version the recommendation is to update TMOS as soon as possible. Pete White released an iApp to the codeshare that will display a table of the announced vulnerabilities that your specific BIG-IP is impacted by, so check that out as well.
TMOS Update Resources
Back in November, Emily Yale joined John and I on DevCentral Connects and one of the interesting personal tidbits she shared is that she climbed Kilimanjaro! While that’s amazing by itself, it’s also interesting that there are seven different routes all over the geography of the mountain by which you can summit. Many paths -> one goal.
The same is true for updating TMOS. Before covering the various paths you might take, a couple notes:
An update is a point release (x.x.x.x). An example would be updating from 184.108.40.206 to 220.127.116.11, or 16.0.1 to 18.104.22.168. For details on F5’s software lifecycle policy, please see K8986. A point release is the safest course of action as no changes to existing default behaviors are introduced.
As stated in K7727, a point release does not require a license update. If you move major versions, however, know that that is an upgrade, not and update, and a license check is necessary! Plan accordingly and perform your license checks before installing the config and rebooting into your upgraded partitions.
Satoshi provided great guidance to users in Q&A (linked below) on how to install the update and copy over the active configuration to the new slot. This does not detail how to get TMOS onto the systems, however. That can also be done on the cli via curl, but the idea here is to glean the install and config details from the iControl REST interface and work those into a polished script in the language of your choice so you can automate the process for all your devices.
As TMOS installation is a long-lived task, you’d want to verify the installation as well (endpoint in this example would be /mgmt/tm/sys/software/volume/HD1.3) by checking the version and status attributes. Some attributes from the JSON below removed for brevity.
This option is totally doable if you have a few devices, and you likely have everything you need to knock this out so I’ll just link the upgrade guide again and call it good. But if you’re trending north of that line, you really ought to investigate an automation path with one of the approaches outlined above. If any of them are a possibility for you, don’t fret! The community is here to help. Post a comment below or ask a question in Q&A!