F5 Networks BIG-IP : Apache vulnerability (K42644206)
Medium Nessus Plugin ID 118607
Synopsis
The remote device is missing a vendor-supplied security patch.
Description
Apache modules apache_auth_token_mod and mod_auth_f5_auth_token.cpp
allow possible unauthenticated bruteforce on the em_server_ip
authorization parameter to obtain which SSL client certificates used
for mutual authentication between BIG-IQ or Enterprise Manager (EM)
andmanaged BIG-IP devices. (CVE-2017-6146)
Impact
This vulnerability can disclose the em_server_ip field of valid client
certificates. This does not reveal the certificate needed for
authentication.
Solution
Upgrade to one of the non-vulnerable versions listed in the F5
Solution K42644206.