Third-party Vulnerability

F5 Networks BIG-IP

Background

BD is aware of and currently monitoring two F5 Networks vulnerabilities, affecting the BIG-IP Traffic Management User Interface (TMUI). This third-party vulnerability, which F5 Networks corrected with their June 30, 2020 patch release, is not specific to BD or our products. Additionally, we have not received any reports regarding this vulnerability being exploited on BD products.

CVE-2020-5902 is a remote code execution vulnerability in undisclosed pages in the TMUI, or the Configuration utility. This vulnerability affects BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM). The security patch made by F5 Networks addresses this vulnerability.

This vulnerability could potentially allow an unauthenticated user with network access to the TMUI through the BIG-IP management port and/or self IPs to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.

CVE-2020-5903 is a cross-site scripting (XSS) vulnerability that exists in an undisclosed page of the BIG-IP Configuration utility. This vulnerability affects BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM). The security patch made by F5 Networks addresses this vulnerability.

If exploited, this vulnerability could potentially allow an attacker to run JavaScript as the currently logged-in user. If the user is an administrative user with Advanced Shell access, the successful exploitation of this vulnerability can be leveraged to completely compromise the BIG-IP system through remote code execution.

Response

BD has deployed, tested, and validated the F5 Networks patch. Please review the Product Security Patching website for all approved product security patching notifications.

Additional Resources

BD has not received any reports of this third-party vulnerability being exploited on BD products. The product list below is available to customers to help identify existing BD products that utilize BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM). The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

  • BD HealthSight™ Clinical Advisor (Formerly MedMined)
  • BD HealthSight™ Data Manager
  • BD HealthSight™ Diversion Management
  • BD HealthSight™ Infection Advisor (Formerly MedMined)
  • BD HealthSight™ Inventory Optimization
  • BD Infusion Knowledge Portal™
  • BD Medication Knowledge Portal™
  • BD Supply Knowledge Portal™

 

For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.

Chat with us
Our live chat is available between the hours of 8.30am - 5.00pm EST, Monday - Friday
×