Rackspace Response to F5 Security Advisory
by Marc Nourani, Director Operations, Rackspace Technology
Rackspace Technology is aware of recently published security vulnerabilities impacting F5 BIG-IP devices on code versions 13+. Our partner F5 published an article on February 2023, available here: https://my.f5.com/manage/s/article/K000130496.
Rackspace standard F5 deployments are designed with an architecture that prevents public access to management network segments, management IPs, and management APIs. Our best practices do not expose the iControl SOAP API to the public internet.
Rackspace engineers have performed an initial assessment and are advising affected customers to upgrade to the latest software from F5. Rackspace is updating our recommended safe harbor code version from 188.8.131.52 to 184.108.40.206.
To perform the F5 software code update, customers can request that the maintenance be performed by a Racker. Additionally, Rackspace is preparing a self-scheduling process for customers and will notify eligible customers once the process is available. More information on the process is available here: https://docs.rackspace.com/support/how-to/network-device-reboot-faq/.
It’s important to note that an integrated software patch for K000130415: iControl SOAP vulnerability CVE-2023-22374 is not yet available. However, mitigation options are available:
An engineering hotfix is available for the latest supported versions of BIG-IP F5. F5 provides no warranty or guarantee of usability for engineering hotfixes and Rackspace does not advise using untested software from a vendor. Rackspace can assist with the installation of this hotfix. However, customers who elect this option will be required to acknowledge and accept the associated risk. Upon request, Rackspace can disable customer administrative access to affected F5 devices until a stable fix has been released. Our security teams are continuing active monitoring of the situation with no associated impacted systems identified thus far.
Should you have any questions or require assistance in responding to these vulnerabilities, please contact a support Racker via https://www.rackspace.com/login.
Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.
Security Awareness Recommendation
September 28th, 2023
Update: Decommission of TLS v1.0 and v1.1 - Rackspace Customer Identity API Endpoint
September 21st, 2023