26-Mar-2021 06:59
I'm trying to find information on whether or not the F5 servers we are running are vulnerable to the Security Advisory K02566623: Overview of F5 vulnerabilities (March 2021). We are running Big-IP versions 10.2.4, 9.4.8, and 9.4.3. The modules we have active are SSL, LTM, and ASM. I understand that these are EOL for support but are the differences between these and the newer versions so different that we are not exposed to the vulnerabilities?
26-Mar-2021 09:24
Citing from K4602: Overview of the F5 security vulnerability response policy:
"When a vulnerability is publicly disclosed, F5 is committed to evaluating the software versions that have not yet reached End of Technical Support (EoTS), as indicated in the software support policy articles for each product. For more information, refer to F5 software products currently supported with active development in K8986: F5 software lifecycle policy.
When critical vulnerabilities are discovered, F5 implements, tests, and releases security hotfixes for the supported software versions, where technically feasible. For additional information regarding the F5 critical issue hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy."
As stated in K5903: BIG-IP software support policy all the software you are running is EoTS.
In other words: F5 will not check whether or not the software you are running is vulnerable.
I recommend you start from here:
K13845: Overview of supported BIG-IP upgrade paths and an upgrade planning reference
and here:
AskF5's new BIG-IP upgrade guide
Good luck! If you get stuck, come here and ask for help. 🙂