Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Managing Vulnerabilities

I have some questions about vulnerability management which I have been struggling with that hopefully someone can help with. Sometimes our vulnerability management system (Nexpose) shows assets under a particular vulnerability of a virtual server but then shows the operating system such as Microsoft. I am trying to figure out or understand better what to expect in vulnerability management as the F5 proxies the connectivity to real servers. Are those exploits something I should consider or should they belong to the owners of the app or servers? As an example, I have an ADC that Nexpose reports multiple virtual servers are vulnerable to CVE-2011-3192. It actually has an F5 entry and an Apache entry with the Apache entry being the one that reports all the virtual servers (on only 1 ADC). It says, Server responded with partial content to a request with Malicious Range Headers. Now the F5 vuln shows no assets: F5 Networks: K13114 (CVE-2011-3192): Apache Range header vulnerability - CVE-2011-3192 No assets have this vulnerability.

But as mentioned this other entry list multiple virtual servers: Apache HTTPD: Range header remote DoS (CVE-2011-3192) Server responded with partial content to a request with malicious Range headers

Is the virtual server responding with this or is it being proxied to the real server and that is responding and I need to advise our vuln mgmt. team to have nexpose stop reporting this. Thanks for any help. We are on 12.1.1 HF1 right now but will be upgrading eventually to 13.1.X which will remediate almost all the open ones we have currently, but I am not sure how to tell my vuln mgmt. team, hey this isn't the f5 (unless it is). Thanks!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I am going to reply to my own question as I probably should have read the Article a little closer.

https://support.f5.com/csp/article/K13114

Vulnerable component or feature Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers

I am not on a vulnerable image: Versions known to be Not Vulnerable 11.1.0 and later

So I think this is a tagging issue with our Vuln Management system. I guess if anyone responds, do you think this is still an issue with F5 or an issue with Nexpose?

0
Comments on this Answer
Comment made 03-Aug-2018 by Chris Grant

Your vulnerability managing system is correctly reporting that there is a vulnerability, but in this case it's a vulnerability on the back end system that is being exposed through the BigIP. The correct place to patch this is in the back end system. Patching the BigIP, even if possible, would do nothing to patch the vulnerability your scanner is seeing, as we are simply passing on the vulnerable code from the back end.

0