SB2018122706 - Multiple vulnerabilities in F5 BIG-IP

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2018-15334)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim into visiting a specially crafted web page and force an APM webtop session to log out and require re-authentication.

2) Information disclosure (CVE-ID: CVE-2018-15333)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to unrestricted Snapshot File Access. A BIG-IP system's user with any role, including Guest Role can gain access and download previously generated and available snapshot files on the BIG-IP configuration utility such as QKView and TCPDumps.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://support.f5.com/csp/article/K74114570
• https://support.f5.com/csp/article/K53620021