F5 Issues Security Advisories for NGINX Plus (CVE-2024-39792) & BIG-IP Next Central Manager (CVE-2024-39809)

NGINX Plus (CVE-2024-39792) & BIG-IP Next Central Manager (CVE-2024-39809)

F5, a prominent provider of application delivery and security solutions, has recently released security advisories addressing vulnerabilities in two of its products: NGINX Plus and BIG-IP Next Central Manager. These vulnerabilities, if exploited, could lead to denial-of-service (DoS) attacks and unauthorized access, potentially causing significant disruptions and security breaches for affected organizations.

NGINX Plus Memory Exhaustion Vulnerability (CVE-2024-39792)

The first vulnerability, tracked as CVE-2024-39792 (CVSSv4 8.7), impacts NGINX Plus versions R30 to R32 when configured with the MQTT pre-read module. It allows unauthenticated remote attackers to trigger excessive memory consumption, leading to system instability and potential DoS conditions. This vulnerability affects the data plane only, meaning it does not expose the control plane.

F5 strongly recommends upgrading NGINX Plus to the patched versions (R32 P1 or R31 P3) to fully address this vulnerability. If an immediate upgrade is not feasible, disabling the MQTT filter module in the NGINX configuration can serve as a temporary mitigation.

BIG-IP Next Central Manager Session Token Vulnerability (CVE-2024-39809)

The second vulnerability, identified as CVE-2024-39809 (CVSSv4 8.9), affects BIG-IP Next Central Manager version 20.1.0. It allows attackers who obtain a user’s session cookies to maintain access to the management interface even after the user has logged out. This control plane vulnerability could enable unauthorized access to BIG-IP Next Central Manager and the systems it manages.

The recommended mitigation is to upgrade BIG-IP Next Central Manager to version 20.2.0, which includes the necessary fix. Additionally, F5 advises restricting management access to trusted users and devices, logging off and closing web browsers after use, and avoiding using the same browser for management and general browsing purposes.

Call to Action

Organizations using NGINX Plus or BIG-IP Next Central Manager are urged to review the security advisories, assess their vulnerability, and take immediate action to mitigate the risks. Upgrading to patched versions is strongly recommended whenever possible. If upgrades are not feasible, the provided temporary mitigations should be implemented.

Related Posts: