Vulnerability CVE-2014-8730


Published: 2014-12-09

Description:
The SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, AAM 11.4.0 through 11.5.1, AFM 11.3.0 through 11.5.1, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, PEM 11.3.0 through 11.6.0, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1 and BIG-IQ Cloud and Security 4.0.0 through 4.4.0 and Device 4.2.0 through 4.4.0, when using TLS 1.x before TLS 1.2, does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). NOTE: the scope of this identifier is limited to the F5 implementation only. Other vulnerable implementations should receive their own CVE ID, since this is not a vulnerability within the design of TLS 1.x itself.

See advisories in our WLB2 database:
Topic
Author
Date
High
TLS 1.x CBC cipher connections Padding issue
imperialviolet
09.12.2014

Vendor: F5
Product: Firepass 
Version:
7.0.0
6.1.0
6.0.3
6.0.2
6.0.1
6.0.0
See more versions on NVD
Product: ARX 
Version:
6.4.0
6.3.0
6.2.0
6.1.1
6.1.0
6.0.0
See more versions on NVD
Product: Big-iq security 
Version:
4.4.0
4.3.0
4.2.0
4.1.0
4.0.0
See more versions on NVD
Product: Big-iq device 
Version:
4.4.0
4.3.0
4.2.0
See more versions on NVD
Product: Big-iq cloud 
Version:
4.4.0
4.3.0
4.2.0
4.1.0
4.0.0
See more versions on NVD
Product: Enterprise manager 
Version:
3.1.1
3.1.0
3.0.0
2.3.0
2.2.0
2.1.0
See more versions on NVD
Product: Linerate 
Version:
2.5.0
2.4.2
2.4.1
2.4.0
2.3.3
2.3.2
2.3.1
2.3.0
2.2.7
2.2.6
2.2.5
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
See more versions on NVD
Product: Big-ip link controller 
Version:
11.6.0
11.5.1
11.5.0
11.4.1
11.4.0
11.3.0
See more versions on NVD
Product: Big-ip policy enforcement manager 
Version:
11.6.0
11.5.1
11.5.0
11.4.1
11.4.0
11.3.0
See more versions on NVD
Product: Big-ip global traffic manager 
Version:
11.6.0
11.5.1
11.5.0
11.4.1
11.4.0
11.3.0
See more versions on NVD
Product: Big-ip application acceleration manager 
Version:
11.6.0
11.5.1
11.5.0
11.4.1
11.4.0
See more versions on NVD
Product: Big-ip analytics 
Version:
11.6.0
11.5.1
11.5.0
11.4.1
11.4.0
11.3.0
See more versions on NVD
Product: Big-ip advanced firewall manager 
Version:
11.6.0
11.5.1
11.5.0
11.4.1
11.4.0
11.3.0
See more versions on NVD
Product: Big-ip application security manager 
Version:
11.5.1
11.4.1
11.4.0
11.3.0
See more versions on NVD
Product: Big-ip access policy manager 
Version:
11.5.1
11.5.0
11.4.0
11.3.0
See more versions on NVD
Product: Big-ip local traffic manager 
Version:
11.5.1
11.4.1
11.4.0
11.3.0
See more versions on NVD
Product: Big-ip protocol security module 
Version:
11.4.1
11.4.0
11.3.0
See more versions on NVD
Product: Big-ip webaccelerator 
Version: 11.3.0;
Product: Big-ip edge gateway 
Version: 11.3.0;
Product: Big-ip wan optimization manager 
Version: 11.3.0;

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://marc.info/?l=bugtraq&m=144372772101168&w=2
http://secunia.com/advisories/62167
http://secunia.com/advisories/62224
http://secunia.com/advisories/62388
http://www-01.ibm.com/support/docview.wss?uid=swg21693271
http://www-01.ibm.com/support/docview.wss?uid=swg21693337
http://www-01.ibm.com/support/docview.wss?uid=swg21693495
http://www.openwall.com/lists/oss-security/2014/12/09/27
https://devcentral.f5.com/articles/cve-2014-8730-padding-issue-8151
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04819635
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html
https://support.lenovo.com/product_security/poodle
https://support.lenovo.com/us/en/product_security/poodle
https://www.imperialviolet.org/2014/12/08/poodleagain.html

Related CVE
CVE-2019-6601
In BIG-IP 13.0.0, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, the Application Acceleration Manager (AAM) wamd process used in processing of images and PDFs fails to drop group permissions when executing helper scripts.
CVE-2019-6600
In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, when remote authentication is enabled for administrative users and all external users are granted the "guest" role, unsanitized values can be reflected to...
CVE-2019-6599
In BIG-IP 11.6.1-11.6.3.2 or 11.5.1-11.5.8, or Enterprise Manager 3.1.1, improper escaping of values in an undisclosed page of the configuration utility may result with an improper handling on the JSON response when it is injected by a malicious scri...
CVE-2019-6598
In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, malformed requests to the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, may ...
CVE-2019-6597
In BIG-IP 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configurat...
CVE-2019-6596
In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, 12.1.0-12.1.3.6, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, when processing fragmented ClientHello messages in a DTLS session TMM may corrupt memory eventually leading to a crash. Only systems offering DTLS connect...
CVE-2019-6595
Cross-site scripting (XSS) vulnerability in F5 BIG-IP Access Policy Manager (APM) 11.5.x and 11.6.x Admin Web UI.
CVE-2019-6594
On BIG-IP 11.5.1-11.6.3.2, 12.1.3.4-12.1.3.7, 13.0.0 HF1-13.1.1.1, and 14.0.0-14.0.0.2, Multi-Path TCP (MPTCP) does not protect against multiple zero length DATA_FINs in the reassembly queue, which can lead to an infinite loop in some circumstances.

Copyright 2019, cxsecurity.com

 

Back to Top