Security Advisory Description
Note: F5 is committed to responding quickly to potential vulnerabilities in F5 products. As with all publicly known vulnerabilities, F5 is committed to publishing a response as soon as the vulnerability has been thoroughly investigated. In this case, an external researcher informed F5 that their findings would be made public on October 10. To reduce the impact on our customers, we made the decision to move the October 18 QSN to October 10 to mitigate the disruption caused by multiple disclosures.
On October 10, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities, and security exposures to help determine the impact to your F5 devices You can find the details of each issue in the associated articles.
High CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
| K000135689: BIG-IP Configuration utility vulnerability CVE-2023-41373 | 8.8 – Standard deployment 9.9 – Appliance mode | BIG-IP (all modules) | 17.1.0 16.1.0 – 16.1.4 15.1.0 – 15.1.10 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0.3 16.1.4.1 15.1.10.2 14.1.5.6 |
| K41072952: BIG-IP Appliance mode external monitor vulnerability CVE-2023-43746 | 8.7 – Appliance mode only | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 |
| K29141800: Multi-blade VIPRION Configuration utility session cookie vulnerability CVE-2023-40537 | 8.1 | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 |
| K000136185: BIG-IP Edge Client for macOS vulnerability CVE-2023-43611 | 7.8 | BIG-IP (APM) | 17.1.0 16.1.0 – 16.1.4 15.1.0 – 15.1.10 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | None |
| APM Clients | 7.2.3 – 7.2.4 | 7.2.4.4 | ||
| K000133467: BIG-IP HTTP/2 vulnerability CVE-2023-40534 | 7.5 | BIG-IP (all modules) | 17.1.0 – 17.1.1 16.1.0 – 16.1.4 | 17.1.1 + Hotfix-BIGIP-17.1.1.0.2.6-ENG2 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.23.4-ENG2 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.13.5-ENG2 |
| BIG-IP Next SPK | 1.6.0 – 1.8.2 | None | ||
| K000134652: BIG-IP TCP profile vulnerability CVE-2023-40542 | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 |
| K000132420: BIG-IP IPsec vulnerability CVE-2023-41085 | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 |
| K000135874: BIG-IP Next SPK SSH vulnerability CVE-2023-45226 | 7.4 | BIG-IP Next SPK | 1.5.0 | 1.6.0 |
| K000135040: BIG-IP Edge Client for macOS vulnerability CVE-2023-5450 | 7.3 | BIG-IP (APM) | 17.1.0 16.1.0 – 16.1.4 15.1.0 – 15.1.10 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | None |
| APM Clients | 7.2.3 – 7.2.4 | 7.2.4.5 | ||
| K26910459: BIG-IP iControl REST vulnerability CVE-2023-42768 | 7.2 | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
2F5 has fixed this issue in an engineering hotfix that is available for versions of the BIG-IP system which have not yet reached End of Software Development. Customers affected by this issue can download the engineering hotfix from the MyF5 Downloads page. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.
Medium CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
| K98334513: BIG-IP DNS TSIG key vulnerability CVE-2023-41253 | 5.5 | BIG-IP (DNS, LTM enabled with DNS Services license) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 |
| K06110200: BIG-IP and BIG-IQ TACACS+ audit log vulnerability CVE-2023-43485 | 5.5 | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 |
| BIG-IQ Centralized Management | 8.0.0 – 8.3.0 | 8.3.0 + Hotfix-BIG-IQ-8.3.0.0.12.118-ENG2 8.2.0.1 + Hotfix-BIG-IQ-8.2.0.1.0.13.97-ENG2 | ||
| K000137106: HTTP/2 vulnerability CVE-2023-44487 | 5.3 | BIG-IP Next (all modules) | 20.0.1 | None |
| BIG-IP Next SPK | 1.5.0 – 1.8.2 | None | ||
| BIG-IP Next CNF | 1.1.0 – 1.1.1 | None | ||
| BIG-IP (all modules) | 17.1.0 16.1.0 – 16.1.4 15.1.0 – 15.1.10 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | None | ||
| NGINX Plus | R25 – R30 | R30 P1 R29 P1 | ||
| NGINX OSS | 1.9.5 – 1.25.2 | None | ||
| NGINX Ingress Controller | 3.0.0 – 3.3.0 2.0.0 – 2.4.2 1.12.2 – 1.12.5 | None | ||
| K20307245: BIG-IP tmsh vulnerability CVE-2023-45219 | 4.4 | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 |
| K47756555: BIG-IP APM Guided Configuration vulnerability CVE-2023-39447 | 4.4 | BIG-IP (APM) | 16.1.0 – 16.1.3 15.1.0 – 15.1.7 | 17.1.0 16.1.4 15.1.8 |
| BIG-IP (Guided Configuration) | 8.0 7.0 – 7.7 6.0 | 9.0 | ||
| K20850144: BIG-IP and BIG-IQ DB variable vulnerability CVE-2023-41964 | 4.3 | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 |
| BIG-IQ Centralized Management | 8.0.0 – 8.3.0 | 8.3.0 + Hotfix-BIG-IQ-8.3.0.0.12.118-ENG2 8.2.0.1 + Hotfix-BIG-IQ-8.2.0.1.0.13.97-ENG2 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
2F5 has fixed this issue in an engineering hotfix that is available for versions of the BIG-IQ system which have not yet reached End of Software Development. Customers affected by this issue can download the engineering hotfix from the MyF5 Downloads page. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.
Security Exposures
| Article (Exposure) | Affected products | Affected versions1 | Fixes introduced in |
|
K75431121: BIG-IP APM OAuth Bearer with SSO does not process HTTP headers as expected | BIG-IP (APM) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 | 17.1.0 16.1.4 15.1.9 |
|
K21800102: HTTP RFC enforcement is bypassed when a redirect iRule is applied to the virtual server | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 |
| BIG-IP (Advanced WAF/ASM) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.4 15.1.9 | |
| NGINX App Protect WAF | 4.0.0 – 4.1.0 3.3.0 – 3.12.2 | 4.2.0 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Related Content
- K12201527: Overview of Quarterly Security Notifications
- K67091411: Guidance for Quarterly Security Notifications
- K84205182: BIG-IP update and upgrade guide | Chapter 1: Guide contents
- K41942608: Overview of MyF5 security advisory articles
- K4602: Overview of the F5 security vulnerability response policy
- K4918: Overview of the F5 critical issue hotfix policy
- K39757430: F5 product and services lifecycle policy index
- K9502: BIG-IP hotfix and point release matrix
- K13123: Managing BIG-IP product hotfixes (11.x – 17.x)
- K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later)
- K000090258: Download F5 products from MyF5
- K9970: Subscribing to email notifications regarding F5 products
- K9957: Creating a custom RSS feed to view new and updated documents
- K27404821: Using F5 iHealth to diagnose vulnerabilities
