F5 BIG-IP icon   F5 BIG-IP – Vulnerability!! CVE-2020-5902 – Remote Code Execution (RCE)



Security Advisory Description

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. (CVE-2020-5902)

Description

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commandsRead more

F5 BIG-IP icon   F5 BIG-IP – Dynamic RDP destination for APM



Portal access (APM) allows user access internal resources such as servers and computers via Remote Desktop (RDP). There are 3 options to to configure the destination host when configuring the RDP resource:

  • Hostname
  • IP Address
  • User defined

Problem

Hostname and IP address are a fixed destination. In case you need different destinations based on the logged user, you would … Read more

F5 BIG-IP icon   F5 BIGIP – Name based reverse proxy (LTM policies)



F5 BIGIP is a very powerful and versatile product that can be used for several purposed. I started using it as a load balancer. Then I used it to replace the previous SSL VPN portal (and it works perfectly).

Some time ago I decided to start using it as reverse proxy (it was time for my old Microsoft TMG to … Read more

F5 BIG-IP icon   F5 BIGIP – Upgrade an active/standby cluster



Step by step procedure to upgrade an active/standby BIGIP cluster. In this example, I needed to upgrade from BIG IP v13.0.0.0 to v13.1.0.2

Download

Login to https://downloads.f5.com/, search and download the ISO image of the version you want to upgrade to.
F5 BIGIP - Upgrade an activestandby cluster - Download BIGIP upgrade

F5 BIGIP - Upgrade an activestandby cluster - Download BIGIP upgrade

Export configuration

As a good sysadmin practice, it is better to export the configuration of both nodes … Read more

F5 BIG-IP icon   F5 BIGIP – LTM Policy GUI incorrectly shows conditions with datagroups



The last F5 BIGIP version 13.1.0.2 (I upgraded from v13.0.0 some days ago – 2018 February) seems to generate a bug with the LTM policies.

Symptoms

Fortunately, the issue is only at the Presentation layer. The LTM policy show the rules conditions always with datagroups. This affects all rules and policies.

Better explained with an example:
If this is a … Read more

F5 BIG-IP icon   F5 BIGIP – HTTP header count exceeded maximum allowed count



Last week we published a new application on our web servers (which are balanced by the F5 BIGIP)
Accessing directly to the servers produced no problem, but when the connection was through the virtual balancing IP of the F5, the application did not work correctly.

Error message

Fortunately, monitoring the LTM module logs of the F5 (/var/log/ltm) while the problem … Read more

F5 BIG-IP icon   F5 BIGIP – Send logs to custom syslog file



For debugging purposes (or to simply to organize logs as you prefer) it would be interesting to send certain syslog messages to a custom file instead of the default ones like /var/log/ltm or /var/log/apm

Desired goal

This example shows the way to send syslog messages starting with the string #DEBUG# to the file /var/log/customlog

(You can replace both string and Read more

F5 BIG-IP icon   F5 BIGIP – Bug when using datagroups in LTM policies



Datagroups can be used in LTM policies to, for example, filter connections based on the client IP address (at least in my BIG-IP v13.0.0)

This is possible by adding a condition like this:
F5 BIGIP - Bug when using datagroups in LTM policies 1

“TCP” – “address” – “matches” – “in datagroup” <DATAGROUP> – at “request” time
(apply traffic on “remote” side of “external” interface)

Problem

This works correctly when the … Read more

F5 BIG-IP icon   F5 BIGIP – Modify URI path using local traffic policy



Im using my F5 BIGIP (v13) as reverse proxy to publish some websites by using local traffic policies. But i need to perform a URL rewriting. To be specific, i need to strip a string from the URI path.

It could be done using an IRule:

when HTTP_REQUEST{
if { [string tolower [HTTP::uri] ] starts_with "/path1" } {
  HTTP::uri [string 
Read more

F5 BIG-IP icon   F5 BIG-IP – Rollback tmsh commands



Today a very short and simple post to learn how to rollback configurations performed via tmsh.
After executing some commands, if finally we need to undo those changes we can get it, at least, by the following ways:

    • In case of HA environment, the standby node configuration can be sync so that we set the active (changed) node to
Read more