PT-2015-4183 · F5 · F5 Big-Ip Apm+5
Published
2015-05-12
·
Updated
2017-01-03
·
CVE-2014-9326
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
F5 BIG-IP LTM, AAM, AFM, Analytics, APM, GTM, and Link Controller versions 11.5.0 through 11.6.0
F5 BIG-IP ASM versions 10.0.0 through 11.6.0
F5 BIG-IP PEM versions 11.3.0 through 11.6.0
Description
The issue arises from the automatic signature update functionality in the Phone Home and Call Home features, which fails to properly validate server SSL certificates. This allows remote attackers to conduct man-in-the-middle attacks by using a crafted certificate.
Recommendations
For F5 BIG-IP LTM, AAM, AFM, Analytics, APM, GTM, and Link Controller versions 11.5.0 through 11.6.0, consider disabling the Phone Home feature until a patch is available.
For F5 BIG-IP ASM versions 10.0.0 through 11.6.0, consider disabling both the Phone Home and Call Home features until a patch is available.
For F5 BIG-IP PEM versions 11.3.0 through 11.6.0, consider disabling the Call Home feature until a patch is available.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
F5 Big-Ip Apm
F5 Big-Ip Analytics
F5 Big-Ip Gtm
F5 Big-Ip Ltm
F5 Big-Ip Link Controller
F5 Big-Ip Pem