Understanding 'Versions known to be not vulnerable' in Security Advisories

Question

Hallo,&nbsp;
I'm trying to understand the implications of the choice of vulnerable versions in F5 Networks Security Advisories. I frequently see entries like:&nbsp;
Product / Versions known to be vulnerable / Versions known to be not vulnerable&nbsp;
BIG-IP PSM / 11.4.0 - 11.4.1 / None&nbsp;
[https://support.f5.com/csp/article/K90803619]&nbsp;
So there are no fixes for this CVE in BIG-IP PSM 11.4.0 despite newer versions for BIG-IP PSM (12.1.2, 13.0.0) that are not listed as vulnerable.&nbsp;
My question aims at the logic for the column 'Versions known to be not vulnerable'. Are the versions listed there chosen only from the same branch of the versions listed as 'Versions known to be vulnerable'? Would You recommend a user of BIG-IP PSM 11.4.0 an upgrade to a version of another branch like 12.1.2 in this case?&nbsp;

vijay_e · Answer

I think this is something that F5 Engineers can answer with authority. My understanding of "none" is that there is no available code version that is not vulnerable. So, even if you upgrade to 12.1.2, you will still be vulnerable.

charlescs · Answer

PSM was deprecated starting in version 11.5.0, and its functions were divided between AFM and ASM. This is why there are no later versions shown in the "not vulnerable" column.&nbsp;

Forum Discussion

Understanding 'Versions known to be not vulnerable' in Security Advisories

2 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

How To Read An F5 Security Advisory

Understanding iApps

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

Understanding Modern Application Architecture - Part 1