Vulnerability CVE-2019-6634


Published: 2019-07-03

Description:
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process. This causes issues with both iControl REST and some portions of TMUI. The attack requires an authenticated user with any role.

Type:

CWE-20

(Improper Input Validation)

Vendor: F5
Product: Big-ip edge gateway 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip access policy manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
See more versions on NVD
Product: Big-ip link controller 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip analytics 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip application acceleration manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
See more versions on NVD
Product: Big-ip webaccelerator 
Version:
14.1.0.1
14.1.0
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip policy enforcement manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip domain name system 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip fraud protection service 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip global traffic manager 
Version:
14.1.0.1
14.1.0
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip advanced firewall manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip local traffic manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip application security manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://www.securityfocus.com/bid/109104
https://support.f5.com/csp/article/K64855220

Related CVE
CVE-2019-6646
On BIG-IP 11.5.2-11.6.4 and Enterprise Manager 3.1.1, REST users with guest privileges may be able to escalate their privileges and run commands with admin privileges.
CVE-2019-6643
On versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12.1.4.1, and 11.5.2-11.6.4, an attacker sending specifically crafted DHCPv6 requests through a BIG-IP virtual server configured with a DHCPv6 profile may be able to cause the TMM pr...
CVE-2019-6648
On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys and Private key Passphrases as provided as inputs by ...
CVE-2019-6647
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12.1.4.1, 11.5.2-11.6.4, when processing authentication attempts for control-plane users MCPD leaks a small amount of memory. Under rare conditions attackers with access to the managem...
CVE-2019-6645
On BIG-IP 14.0.0-14.1.0.5, 13.0.0-13.1.2, 12.1.0-12.1.4.1, 11.5.2-11.6.4, FTP traffic passing through a Virtual Server with both an active FTP profile associated and connection mirroring configured may lead to a TMM crash causing the configured HA ac...
CVE-2019-6644
Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized user...
CVE-2019-6641
On BIG-IP 12.1.0-12.1.4.1, undisclosed requests can cause iControl REST processes to crash. The attack can only come from an authenticated user; all roles are capable of performing the attack. Unauthenticated users cannot perform this attack.
CVE-2019-6640
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into...

Copyright 2019, cxsecurity.com

 

Back to Top