F5 BIG-IQ is vulnerable to an input validation attack that allows an authenticated user to increase their privileges to that of another user. This allows an authenticated user with 0 roles to take on the roles of, say, admin or root. The user could then change the password of any other user (without logging out). If SSH is enabled (which is by default), then the user could change the root user’s password and log in over SSH.
more here......http://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.html
This issue has been fixed in all releases after BIG-IQ 4.1, including 4.2
and 4.3.
Please see F5¹s technical solution at
http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15229.html
BIG-IQ 4.1 was in limited release and customers had already been asked to
upgrade.
No versions of BIG-IP are vulnerable.
Please use security-reporting@f5.com for any further reports. This email
address can be found by searching for ³security² at http://ask.f5.com.
http://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
Thanks
Jeff Costlow
j.costlow@f5.com
more here......http://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.html
This issue has been fixed in all releases after BIG-IQ 4.1, including 4.2
and 4.3.
Please see F5¹s technical solution at
http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15229.html
BIG-IQ 4.1 was in limited release and customers had already been asked to
upgrade.
No versions of BIG-IP are vulnerable.
Please use security-reporting@f5.com for any further reports. This email
address can be found by searching for ³security² at http://ask.f5.com.
http://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
Thanks
Jeff Costlow
j.costlow@f5.com