CVE-2020-5902 | This vulnerability allows for unauthenticated attackers, or authenticated users, with

network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary
system commands, create or delete files, disable services, and/or execute arbitrary Java code. This
vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also
vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

Security Advisory Recommended Actions:

If running a version listed in the Versions known to be vulnerable column, we can eliminate this

vulnerability by upgrading to a version listed in the Fixes introduced in column.

Versions Fixes Vulnerable

Severit CVSSv3
Product Branch known to be introduce component or
y score1
vulnerable d in feature
BIG-IP (LTM, 15.x 15.1.0 15.1.0.4 Critical TMUI/Configuration
AAM, AFM, utility
Analytics, APM,
ASM, DNS, FPS,
GTM, Link 15.0.0 None
Controller, PEM) 10
14.x 14.1.0 - 14.1.2 14.1.2.6
13.x 13.1.0 - 13.1.3 13.1.3.4
12.x 12.1.0 - 12.1.5 12.1.5.2
11.x 11.6.1 - 11.6.5 11.6.5.2

Mitigation
F5 recommends upgrading to a fixed software version to fully mitigate this vulnerability. If it is not
possible to upgrade at this time, you can use the following sections as temporary mitigations:

 All network interfaces

 Self IPs
 Management interface
 Versions Fixes CVSSv Vulnerable
Severit
Product Branch known to be introduced 3 component or
y
vulnerable in score1 feature
BIG-IP (LTM, 15.x 15.1.0 15.1.0.4 Critical TMUI/Configuration
AAM, AFM, utility
Analytics, APM,
ASM, DNS, FPS,
GTM, Link 15.0.0 None
Controller, PEM) 14.x 14.1.0 - 14.1.2.6
14.1.2 10
13.x 13.1.0 - 13.1.3.4
13.1.3
12.x 12.1.0 - 12.1.5.2
12.1.5
11.x 11.6.1 - 11.6.5.2
11.6.5