F5's BIG-IP is a collection of hardware and software solutions designed for application security, reliability, and performance.

iRule is a feature of BIG-IP products that allows clients to directly manipulate and manage any IP application traffic. iRules are using Tool Command Language (Tcl).

Certain coding practices may allow an attacker to inject arbitrary Tool Command Language (Tcl) commands, which can be executed in the security context of the target Tcl script by the running Tcl interpreter.

This issue affects any user-supplied Tcl code executed on the BIG-IP system including, but not limited to, iRules, Local Traffic Policies, iCall scripts, and Tcl scripts running under the standalone tclsh interpreter.


Expressions in Tcl should always be braced. Typically, you can enclose the expression in curly braces '{ }'.
For example, instead of the following unbraced expression:

if $myVar eq "String"
Use braces to ensure the expression is evaluated without substitution:
if {$myVar eq "String"}


Related Vulnerabilities