F5 Patches multiple high severity flaws in BIG-IP and NGINX Plus
Take action: If you are using F5 BIG-IP or NGINX Plus plus products, review the advisory for relevant patches to your platforms. Isolation from untrusted networks is always an option but it's better to plan for a patch - before these flaws are exploited.
Learn More
F5 Networks has issued patches addressing nine vulnerabilities as part of its August 2024 quarterly security update. Among these are fixes for high-severity flaws impacting their BIG-IP and NGINX Plus solutions.
- CVE-2024-39809 (CVSS score 8.7). This flaw is an insufficient session expiration issue in the BIG-IP Next Central Manager. It occurs because the session refresh token does not expire after a user logs out. If an attacker gains access to a user’s session cookies, they could continue using that session to access both the BIG-IP Next Central Manager and systems it manages even after the user has logged out. Importantly, this is a control plane vulnerability and does not expose the data plane. The issue impacts BIG-IP Next Central Manager version 20.1.0 and is resolved with the release of version 20.2.0. For those unable to apply the fix immediately, F5 recommends mitigating the issue by limiting management access to trusted users and devices, fully logging out and closing all browser sessions after using the webUI, and using a dedicated browser for managing the webUI.
- CVE-2024-39778 (CVSS score 7.5), affects BIG-IP and can cause virtual servers to stop processing client connections, leading to a denial-of-service (DoS) condition. This occurs when the Traffic Management Microkernel (TMM) crashes on stateless virtual servers configured with a High-Speed Bridge (HSB). The flaw affects BIG-IP versions 15.x, 16.x, and 17.x, and is fixed in versions 16.1.5 and 17.1.1. F5 notes that changing the virtual server configuration to Standard and adjusting the Idle Timeout setting in the associated UDP profile to Immediate can help mitigate this issue.
- CVE-2024-39792 (CVSS score 7.5), affects NGINX Plus instances that use the MQTT filter module. This flaw can lead to increased resource usage and eventually cause performance degradation, requiring manual or forced restarts of NGINX master and worker processes. The vulnerability is addressed in NGINX Plus versions R32 P1 and R31 P3, but disabling the MQTT filter module can also serve as a workaround.
- CVE-2024-41727 (CVSS score 7.5), a resource consumption vulnerability in BIG-IP tenants running on r2000 and r4000 series hardware, as well as BIG-IP Virtual Editions using Intel E810 SR-IOV NICs. This issue could allow a remote attacker to cause a DoS condition by forcing the TMM process to restart. The flaw impacts BIG-IP versions 15.x and 16.x, with the fix available in version 16.1.5.
Full list, including five medium-severity flaws in both BIG-IP and NGINX are published on their advisory site. F5 claims that none of these vulnerabilities have been observed being exploited in the wild.
