SB2017121908 - Multiple vulnerabilities in F5 BIG-IP

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2017-0304)

The vulnerability allows a remote authenticated attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists in the BIG-IP AFM management UI due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.

2) Security restrictions bypass (CVE-ID: CVE-2017-0301)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can access different internal BIG-IP APM resources.

3) Denial of service (CVE-ID: CVE-2017-6140)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in multiple F5 Networks products using virtual servers with client or server SSL profiles that use AES-GCM cipher suite due to improper processing of packets. A remote attacker can send a series of packets and cause a disruption of the data plane services on the system.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

References

• https://support.f5.com/csp/article/K39428424
• https://support.f5.com/csp/article/K54358225
• https://support.f5.com/csp/article/K55102452