back to article Now it is F5’s turn to reveal critical security bugs – and the Feds were quick to sound the alarm on these BIG-IP flaws

Security and automation vendor F5 has warned of seven patch-ASAP-grade vulnerabilities in its Big-IP network security and traffic-grooming products, plus another 14 vulns worth fixing. An advisory dated today lists seven CVEs, four rated critical. Most of the bugs concern TMUI – the Traffic Management User Interface that …

  1. SecretSonOfHG

    Oh the irony

    Of a security product that has security vulnerabilities by itself. Clearly, we need yet another security layer to protect the protection tools, and so on... One has to wonder if F5 has any kind of security team that checks their own tooling before releasing it.

    Now, seriously, complexity always increases the likelyhood of security flaws. Complex security products are much more likely to contain vulnerabilities than simpler ones. Yet, simpler ones are much more difficult to manage because of... their simplicity, so that creates incentives to build complex management shells and user interfaces around them. Which creates more chances for vulnerabilities.

    Now, please, get off my IP tables...

  2. tip pc Silver badge

    Holy cluster of &@£$

    That’s pretty bad. I still don’t buy their excuse as to why the unauthenticated 9.8 is less than the authenticated 9.9.

    Consolidate Managment to a central tool and suddenly the impact plane is huge.

    Does anyone still do layered multivendor security?

    Router with block and allow lists

    Firewall vendor 1

    Firewall vendor 2

    IPS

    Reverse proxy with ssl IPS

    Stuff.

    1. Pascal Monett Silver badge
      Trollface

      Re: Holy cluster of &@£$

      But, but, that costs money.

      And vendor one promised he could handle everything.

    2. John Jennings Bronze badge

      Re: Holy cluster of &@£$

      No, that was outsourced years ago, and no one left remembers how to do it as the team left are managing the contract.

      The new guys put in a single black box to win on price.

      It does everything for SLT.

    3. Roland6 Silver badge

      Re: Holy cluster of &@£$

      >Does anyone still do layered multivendor security?

      Layered security is primarily to protect your systems, not necessarily the individual products used in each layer.

      The real trouble is, you typically use F5 Big-IP products to provide the first/outermost layer interface to the Internet, so any vulnerability can lead to interesting results - given I expect the only people exploiting F5 kit, are people who know exactly what they are doing and why they are targeting F5...

      1. Anonymous Coward
        Anonymous Coward

        Re: Holy cluster of &@£$

        If your F5 isn't behind a firewall, you've done it wrong. Also, if it isn't in front of a 2nd firewall, you're also doing it wrong.

    4. martinusher Silver badge

      Re: Holy cluster of &@£$

      My experience with corproate IT is that they tend to be a very narrow minded bunch that are for the most part "full of it". The reason for this was explained to me by my son who's been doing courses in various IT subjects, including security -- its all about protection from the enemy within, making sure that knowledge is siloed so that no individual employee knows too much and so could threaten the enterprise. This promotes a sort of "NCO" mentality, a general understanding that they're the fount of all IT knowledge, their actions sanctioned by, and implementing policies conceived by, senior manangement are sacrocanct and are never to be questioned. There's also mindset that favors familiar products from known vendors, accepting uncritically all updates from the chosen vendors (which is obviously something enthusiastically endorsed by their sales department).

      Anyone who has been working with systems for a significant period of time knows that this is asking for trouble. But I'm old so what do I know?

    5. Oor Nonny-Muss

      Re: Holy cluster of &@£$

      Sure. Do all that. I work in healthcare - f-ups in our network really can be life/death situations. Any cost is lower than the cost of the IT Director appearing in the dock at the Court of Session in his best suit.

  3. Anonymous Coward
    Anonymous Coward

    Hopefully one day, manufactures of critical infrastructure will be governed as other manufactures of potential life impacting equipment (cars, whitegoods, etc..) and will need to send people out to fix their faulty crap (recalls), Only then will manufactures put the effort into testing.

    Most equipment is sold and forgotten. If we did this with cars and washing machines there would be law suits flying around everywhere.

  4. MajorNalga

    I put my F5 in front of exchange box, we're secured thank you.

  5. pc-fluesterer.info
    FAIL

    USA network gear? Off-limits!

    s/security bugs/backdoors/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021