Recent Vulnerabilities in F5
On March 19th, 2021, F5 announced twenty-one (21) CVEs affecting its BIG-IP and BIG-IQ modules, and four of them critical. Out of the four critical vulnerabilities, two were on the control plane of iControl and Traffic Management User Interface (TMUI), allowing unauthenticated users network access to execute arbitrary system commands, create or delete files, and disable services. The remaining two vulnerabilities were on the data plane, affecting virtual servers and increasing the risk of Denial-of-Service (DoS) attacks.
F5 quickly released versions with fixes to all 21 vulnerabilities and urged affected users to upgrade their modules to the fixed versions.
Caveats in the Upgrade Process
The vulnerabilities exposed by F5 affect almost all BIG-IP and BIG-IQ versions. Enterprises need to track which version of the modules they’re running and manually upgrade each of them to the appropriate fixed version. Manual upgrades are time-consuming, and the longer the network is exposed to the vulnerabilities, the greater is the risk of an attack. There are also possibilities of errors and compliance lapses when the upgrade is manual, further increasing the risk.
How Can AppViewX ADC+ Help with the Upgrade?
Identifying device types and versions
IT administrators can use AppViewX ADC+ to scan the network and create an inventory of all F5 devices and modules. ADC+ generates reports that classify modules based on the device type, versions, and the applications they support. With this, administrators can easily identify vulnerable versions and gauge the risk.
Automated Upgrade and Backups
Once the installation files are loaded into ADC+, it pushes them into the appropriate module based on rules that administrators enter through a form. Before initiating the actual upgrade, ADC+ checks the existing state of the device and takes a backup of the last-known best configuration. Once the device state is validated, ADC+ pushes the installation file onto it and reboots the device.
Once the device is online, it does post-validation checks to ensure that the upgrade is successful and hasn’t affected the device’s active connections. If the device fails the post-validation check or the installation turns awry, ADC+ restores the device to its last-known-good configuration from the backup.
Advantages of using AppViewX ADC+ to Upgrade F5 Devices
- ADC+ supports automated bulk upgrades based on predefined rules, dramatically reducing upgrade times and the attack window.
- It enables F5 devices to come online quickly, ensuring business continuity.
- Automation, coupled with pre-and post-validation checks, eliminates errors and guarantees compliance.
- IT administrators can initiate and track the upgrade process from the ITSM tool of their choice.
- ADC+ sends periodic alerts to IT administrators, updating them on the status of the upgrade.
- It also makes auditing easy by creating a log of the upgrades.
If you’d like to know more about AppViewX ADC+, talk to our product experts and ask them for a demo.