F5 (BIG-IP, NGINX) Family August 2024 Security Update Advisory

Malware News
1

Overview

 

An update has been released to address vulnerabilities in F5 products. Users of the affected versions are advised to update to the latest version.

Affected Products

 

CVE-2024-39809

  • BIG-IP Next Central Manager version: 20.1.0

 

CVE-2024-39792

  • NGINX Plus Versions: R30 (inclusive) ~ R32 (inclusive)

 

CVE-2024-41164

  • BIG-IP Next SPK versions: 1.7.0 (inclusive) ~ 1.8.2 (inclusive)
  • BIG-IP Next CNF versions: 1.1.0 (inclusive) ~ 1.1.1 (inclusive)

 

  • BIG-IP (all modules) version: 17.1.0
  • BIG-IP (all modules) versions: 16.1.0 (inclusive) ~ 16.1.4 (inclusive)
  • BIG-IP (all modules) versions: 15.1.0 (inclusive) ~ 15.1.9 (inclusive)

     

 

Resolved Vulnerabilities

An attacker with access to obtain a user’s session cookie could use that session to continue accessing BIG-IP Next Central Manager and the systems it manages even after the user logs out (CVE-2024-39809)

A vulnerability that could cause the NGINX master and worker processes to degrade system performance until they are forced or manually restarted, which could allow an attacker to cause a degradation of service that could lead to a denial of service in NGINX (CVE-2024-39792)

A vulnerability that could cause TMM to shut down due to undisclosed traffic with conditions beyond the attacker’s control if a TCP profile with multipath TCP enabled (MPTCP) is configured on a virtual server (CVE-2024-41164)

 

 

Vulnerability Patches

 

The following product-specific vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-39809

  • BIG-IP Next Central Manager version: 20.2.0

 

CVE-2024-39792

  • NGINX Plus version: R32 P1
  • NGINX Plus version: R31 P3

 

CVE-2024-41164

 

  • BIG-IP Next SPK version: 1.9.0
  • BIG-IP Next CNF version: 1.2.0

 

  • BIG-IP (all modules) version: 17.1.1
  • BIG-IP (all modules) version: 16.1.5
  • BIG-IP (all modules) version: 15.1.10

 

 

references

[1] K000140111: BIG-IP Next Central Manager vulnerability CVE-2024-39809

https://my.f5.com/manage/s/article/K000140111

[2] K000140108: NGINX Plus MQTT vulnerability CVE-2024-39792

https://my.f5.com/manage/s/article/K000140108

[3] K000138477: BIG-IP MPTCP vulnerability CVE-2024-41164

https://my.f5.com/manage/s/article/K000138477

Article Link: F5 (BIG-IP, NGINX) Family August 2024 Security Update Advisory – ASEC