Multiple vulnerabilities in F5 BIG-IP

Published: 2017-12-19 00:00:00
Severity Low
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2017-0304
CVE-2017-0301
CVE-2017-6140
CVSSv3 5.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
4.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CWE ID CWE-89
CWE-284
CWE-20
Exploitation vector Network
Public exploit Not available
Vulnerable software BIG-IP AFM
BIG-IP APM
BIG-IP LTM
BIG-IP AAM
BIG-IP Analytics
BIG-IP ASM
BIG-IP DNS
BIG-IP GTM
BIG-IP PEM
Vulnerable software versions BIG-IP AFM 13.0.0
BIG-IP AFM 12.1.2
BIG-IP AFM 12.0.0
Show more
BIG-IP APM 11.5.3
BIG-IP APM 11.5.2
BIG-IP APM 11.5.1
Show more
BIG-IP LTM 11.5.3
BIG-IP LTM 11.5.2
BIG-IP LTM 11.5.1
Show more
BIG-IP AAM 12.1.2
BIG-IP AAM 12.0.0
BIG-IP AAM 12.1.1
Show more
BIG-IP Analytics 12.1.2
BIG-IP Analytics 12.0.0
BIG-IP Analytics 12.1.1
Show more
BIG-IP ASM 12.1.2
BIG-IP ASM 12.0.0
BIG-IP ASM 12.1.1
Show more
BIG-IP DNS 11.5.4
BIG-IP DNS 11.5.3
BIG-IP DNS 11.5.2
Show more
BIG-IP GTM 12.1.1
BIG-IP GTM 12.1.0
BIG-IP GTM 12.0.1
Show more
BIG-IP PEM 11.5.3
BIG-IP PEM 11.5.2
BIG-IP PEM 11.5.1
Show more
Vendor URL F5 Networks, Inc.

Security Advisory

1) SQL injection

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists in the BIG-IP AFM management UI due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.

Remediation

The vulnerability is addressed in the following versions: 12.1.3, 13.1.0, 13.0.0 HF1

External links

https://support.f5.com/csp/article/K39428424

2) Security restrictions bypass

Description

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can access different internal BIG-IP APM resources.

Remediation

The vulnerability is addressed in the following versions: 11.5.5, 11.6.2, 12.1.3.

External links

https://support.f5.com/csp/article/K54358225

3) Denial of service

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in multiple F5 Networks products using virtual servers with client or server SSL profiles that use AES-GCM cipher suite due to improper processing of packets. A remote attacker can send a series of packets and cause a disruption of the data plane services on the system.

Successful exploitation of the vulnerability results in denial of service.

Remediation

The vulnerability is addressed in the following versions: 11.5.5, 11.6.2, 11.5.5, 13.0.0.

External links

https://support.f5.com/csp/article/K55102452

Back to List