F5 has recently released security advisories addressing vulnerabilities in its products. These vulnerabilities, if exploited, could lead to denial-of-service (DoS) attacks and unauthorized access, disruptions and data breaches
NGINX Plus
The first issue, identified as CVE-2024-39792 with a CVSSv4 8.7, affects NGINX Plus versions R30 to R32 when using the MQTT pre-read module. It enables unauthenticated remote attackers to cause excessive memory usage, resulting in system instability and possible DoS conditions. This vulnerability only affects the data plane; hence it does not compromise the control plane.
F5 highly advises updating NGINX Plus to the patched versions (R32 P1 or R31 P3) to fully mitigate this vulnerability. If a quick update is not feasible, removing the MQTT filter module in the NGINX settings can provide a temporary solution.
BIG-IP Next Central Manager
The second vulnerability, CVE-2024-39809 with a CVSSv4 8.9, affects BIG-IP Next Central Manager version 20.1.0. It enables attackers who obtain a user’s session cookies to continue accessing the administration interface even after the user logs out. This control plane vulnerability could allow unwanted access to BIG-IP Next Central Manager and the systems it manages.
The recommended mitigation is to update BIG-IP Next Central Manager to version 20.2.0, which contains the necessary fix. F5 also recommends limiting management access to trusted individuals and devices, logging off and shutting web browsers after use, and not using the same browser for administration and general browsing.
Organizations utilizing NGINX Plus or BIG-IP Next Central Manager should examine and take quick action to mitigate the risks. Upgrades to patched versions are strongly advised whenever possible. If upgrades are not practicable, implement the given temporary mitigations.
