I. Overview

F5 recently released a security notice about BIG-IP, which disclosed that the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a remote code execution (RCE) vulnerability (CVE-2020-5902) in undisclosed pages. Unauthorized attackers can send specially crafted request packets to execute arbitrary code remotely.

If you are an F5 BIG-IP user, check your versions and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://support.f5.com/csp/article/K52145254

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

BIG-IP 15.x: 15.1.0 and 15.0.0

BIG-IP 14.x: 14.1.0 to 14.1.2

BIG-IP 13.x: 13.1.0 to 13.1.3

BIG-IP 12.x: 12.1.0 to 12.1.5

BIG-IP 11.x: 11.6.1 to 11.6.5

Secure versions:

BIG-IP 15.x: 15.1.0.4

BIG-IP 14.x: 14.1.2.6

BIG-IP 13.x: 13.1.3.4

BIG-IP 12.x: 12.1.5.2

BIG-IP 11.x: 11.6.5.2

IV. Vulnerability Handling

Secure versions have been officially released. Upgrade to secure versions. If it is not possible to upgrade at this time, you can take temporary mitigation actions recommended by F5. For more information, go to https://support.f5.com/csp/article/K52145254

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.