F5 BIG-IP Sensitive Information Disclosure Vulnerability

Severity Level: High

Date: 16/08/2024

Ref: CERT /2024/08/74

Components Affected

• BIG-IP (all modules)
  • version 15.1.0 – 15.1.10
  • version 16.1.0 – 16.1.5
  • version 17.1.0 – 17.1.1
• F5OS-A
  • version 1.5.1 – 1.5.2
  • version 1.7.0
• F5OS-C
  • version 1.6.0 – 1.6.2
• Traffix SDC
  • version 5.1.0
  • version 5.2.0

Overview

A vulnerability was identified in F5 BIG-IP, a remote attacker could exploit this vulnerability to trigger sensitive information disclosure on the targeted system.

Note: No patch or mitigation is currently available for CVE-2024-39573 of the affected products.

Description

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URLs to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Impact

• Security Restriction Bypass

Solution/Workarounds

No solution was available at the time of this vulnerability.

Reference

• F5 Security Advisory

Disclaimer

The information provided herein is on an "as-is" basis, without warranty of any kind.