Vulnerability CVE-2019-6638


Published: 2019-07-03

Description:
On BIG-IP 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process.

Type:

CWE-400

(Uncontrolled Resource Consumption ('Resource Exhaustion'))

Vendor: F5
Product: Big-ip fraud protection service 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip edge gateway 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip domain name system 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip application security manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip application acceleration manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip analytics 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip advanced firewall manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip access policy manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip policy enforcement manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip local traffic manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip link controller 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
Product: Big-ip global traffic manager 
Version:
14.1.0.1
14.1.0
14.0.0.2
14.0.0
Product: Big-ip webaccelerator 
Version:
14.1.0.1
14.1.0
14.0.0.2
14.0.0

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://www.securityfocus.com/bid/109106
https://support.f5.com/csp/article/K67825238

Related CVE
CVE-2019-6659
On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.
CVE-2019-6660
On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources which may lead to a denial of service.
CVE-2019-6661
When the BIG-IP APM 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.4.1, or 11.5.1-11.6.5 system processes certain requests, the APD/APMD daemon may consume excessive resources.
CVE-2019-6662
On BIG-IP 13.1.0-13.1.1.4, sensitive information is logged into the local log files and/or remote logging targets when restjavad processes an invalid request. Users with access to the log files would be able to view that data.
CVE-2019-6664
On BIG-IP 15.0.0 and 14.1.0-14.1.0.6, under certain conditions, network protections on the management port do not follow current best practices.
CVE-2019-6656
BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files. Vulnerable versions of the client are bundled with BIG-IP APM versions 15.0.0-15.0.1, 14,1.0-14.1.0.6, 14.0.0-14.0.0.4, 13.0.0-13.1.1.5, 12...
CVE-2019-6655
On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5.1-11.5.9, BIG-IP platforms where AVR, ASM, APM, PEM, AFM, and/or AAM is provisioned may leak sensitive data.
CVE-2019-6654
On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on a...

Copyright 2019, cxsecurity.com

 

Back to Top