Vulnerability CVE-2016-5022


Published: 2016-09-07

Description:
F5 BIG-IP LTM, Analytics, APM, ASM, and Link Controller 11.2.x before 11.2.1 HF16, 11.3.x, 11.4.x, 11.5.x before 11.5.4 HF2, 11.6.x before 11.6.1 HF1, and 12.x before 12.0.0 HF3; BIG-IP AAM, AFM, and PEM 11.4.x, 11.5.x before 11.5.4 HF2, 11.6.x before 11.6.1 HF1, and 12.x before 12.0.0 HF3; BIG-IP DNS 12.x before 12.0.0 HF3; BIG-IP Edge Gateway, WebAccelerator, and WOM 11.2.x before 11.2.1 HF16 and 11.3.0; BIG-IP GTM 11.2.x before 11.2.1 HF16, 11.3.x, 11.4.x, 11.5.x before 11.5.4 HF2, and 11.6.x before 11.6.1 HF1; BIG-IP PSM 11.2.x before 11.2.1 HF16, 11.3.x, and 11.4.0 through 11.4.1; Enterprise Manager 3.1.1; BIG-IQ Cloud and Security 4.0.0 through 4.5.0; BIG-IQ Device 4.2.0 through 4.5.0; BIG-IQ ADC 4.5.0; BIG-IQ Centralized Management 5.0.0; BIG-IQ Cloud and Orchestration 1.0.0; and iWorkflow 2.0.0, when Packet Filtering is enabled on virtual servers and possibly self IP addresses, allow remote attackers to cause a denial of service (Traffic Management Microkernel restart) and possibly have unspecified other impact via crafted network traffic.

Type:

CWE-284

(Improper Access Control)

Vendor: F5
Product: Big-iq centralized management 
Version: 4.6.0;
Product: Big-iq security 
Version:
4.5.0
4.4.0
4.3.0
4.2.0
4.1.0
4.0.0
See more versions on NVD
Product: Big-iq application delivery controller 
Version: 4.5.0;
Product: Big-iq device 
Version:
4.5.0
4.4.0
4.3.0
4.2.0
See more versions on NVD
Product: Big-iq cloud 
Version:
4.5.0
4.4.0
4.3.0
4.2.0
4.1.0
4.0.0
See more versions on NVD
Product: Enterprise manager 
Version: 3.1.1;
Product: F5 iworkflow 
Version: 2.0.0;
Product: Big-ip domain name system 
Version: 12.0.0;
Product: Big-ip advanced firewall manager 
Version:
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
11.4.1
See more versions on NVD
Product: Big-ip access policy manager 
Version:
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
11.4.1
See more versions on NVD
Product: Big-ip policy enforcement manager 
Version:
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
11.4.1
See more versions on NVD
Product: Big-ip local traffic manager 
Version:
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
11.4.1
See more versions on NVD
Product: Big-ip application security manager 
Version:
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
See more versions on NVD
Product: Big-ip link controller 
Version:
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
See more versions on NVD
Product: Big-ip application acceleration manager 
Version:
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
11.4.1
See more versions on NVD
Product: Big-ip analytics 
Version:
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
11.4.1
See more versions on NVD
Product: Big-ip global traffic manager 
Version:
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
See more versions on NVD
Product: Big-ip protocol security module 
Version: 11.4.1;
Product: Big-ip protocol security manager 
Version: 11.4.1;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.securitytracker.com/id/1036709
http://www.securitytracker.com/id/1036710
https://support.f5.com/kb/en-us/solutions/public/k/06/sol06045217.html

Related CVE
CVE-2019-6641
On BIG-IP 12.1.0-12.1.4.1, undisclosed requests can cause iControl REST processes to crash. The attack can only come from an authenticated user; all roles are capable of performing the attack. Unauthenticated users cannot perform this attack.
CVE-2019-6640
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into...
CVE-2019-6639
On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue. Th...
CVE-2019-6638
On BIG-IP 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process.
CVE-2019-6637
On BIG-IP (ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results...
CVE-2019-6636
On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF which results in code execution as...
CVE-2019-6635
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, when the BIG-IP system is licensed for Appliance mode, a user with either the Administrator or the Resource Administrator role can bypass ...
CVE-2019-6634
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process. This causes issues with both iControl REST and some portions of TMUI. The ...

Copyright 2019, cxsecurity.com

 

Back to Top