BD is aware of and currently monitoring two F5 Networks vulnerabilities, affecting the BIG-IP Traffic Management User Interface (TMUI). This third-party vulnerability, which F5 Networks corrected with their June 30, 2020 patch release, is not specific to BD or our products. Additionally, we have not received any reports regarding this vulnerability being exploited on BD products.
CVE-2020-5902 is a remote code execution vulnerability in undisclosed pages in the TMUI, or the Configuration utility. This vulnerability affects BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM). The security patch made by F5 Networks addresses this vulnerability.
This vulnerability could potentially allow an unauthenticated user with network access to the TMUI through the BIG-IP management port and/or self IPs to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.
CVE-2020-5903 is a cross-site scripting (XSS) vulnerability that exists in an undisclosed page of the BIG-IP Configuration utility. This vulnerability affects BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM). The security patch made by F5 Networks addresses this vulnerability.
BD has not received any reports of this third-party vulnerability being exploited on BD products. The product list below is available to customers to help identify existing BD products that utilize BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM). The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.
For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.