BIG-IP and BIG-IQ Vulnerabilities: F5's Commitment to Product Security

As part of our ongoing security vulnerability management practices, today F5 announced several vulnerabilities and fixes for both BIG-IP and BIG-IQ. The bottom line is that they affect all BIG-IP and BIG-IQ customers and instances—we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible. 

The four critical vulnerabilities in the announcement affect BIG-IP versions 11.6 or 12.x and newer, with one of these critical vulnerabilities also affecting BIG-IQ versions 6.x and 7.x. In addition, seven high severity vulnerabilities and ten medium severity vulnerabilities are included in the announcement.

These vulnerabilities were discovered as a result of regular and continuous internal security testing of our solutions and in partnership with respected third parties working through F5’s security program. Because we understand how critical BIG-IP and BIG-IQ are to our customers, as soon as these vulnerabilities were discovered we immediately began work on fixes and we published the security advisories as soon as we could supply our customers with fixed versions.

F5 remains fully committed to equipping our customers and the cybersecurity community at large with information about vulnerabilities to strengthen our collective defenses against cyberattacks. We have comprehensive security practices—including secure training and frameworks, testing, internal and external auditing, and vulnerability management and disclosure—across the company, which we are continuously enhancing to meet ever-evolving cybersecurity threats.

We further strengthen our security measures through close collaboration with partners who regularly perform diligence on and test our systems. Finally, we continually review our processes and procedures—in consultation with third parties—to identify opportunities to further improve our products and security practices.

Next steps

We strongly recommend that all customers update their BIG-IP and BIG-IQ deployments to a fixed version as soon as possible—this is the only way to fully address the vulnerabilities. If you cannot update your systems immediately, we advise you to apply any additional mitigation recommendations detailed in the security advisories while developing a plan to complete the updates. Additional resources on the vulnerabilities and the steps you should take to remediate your exposure are available at the F5 vulnerability response site:

• How-to guide for updating BIG-IP

• Expert tips on automating BIG-IP updates

Our support teams are available to provide guidance and resources to customers across the globe, so don't hesitate to contact them for help. You can also subscribe to notifications for software releases, security alerts, and other important updates.

The trust you place in F5 to handle the security and delivery of your most important assets—your applications—is not something we take lightly. We understand vulnerability remediation can be disruptive to your business. We’re committed to helping you efficiently update your BIG-IP and BIG-IQ systems to the latest, most secure, and best-performing versions—so that you can continue doing what you do best: serving your own customers.