SB2019122311 - Multiple vulnerabilities in BIG-IP Analytics

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Link following (CVE-ID: CVE-2019-6679)

The vulnerability allows a local authenticated user to manipulate data.

On BIG-IP versions 15.0.0-15.0.1, 14.1.0.2-14.1.2.2, 14.0.0.5-14.0.1, 13.1.1.5-13.1.3.1, 12.1.4.1-12.1.5, 11.6.4-11.6.5, and 11.5.9-11.5.10, the access controls implemented by scp.whitelist and scp.blacklist are not properly enforced for paths that are symlinks. This allows authenticated users with SCP access to overwrite certain configuration files that would otherwise be restricted.

2) Input validation error (CVE-ID: CVE-2019-6680)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

On BIG-IP versions 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5, while processing traffic through a standard virtual server that targets a FastL4 virtual server (VIP on VIP), hardware appliances may stop responding.

3) Input validation error (CVE-ID: CVE-2019-6676)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

On versions 15.0.0-15.0.1, 14.0.0-14.1.2.2, and 13.1.0-13.1.3.1, TMM may restart on BIG-IP Virtual Edition (VE) when using virtio direct descriptors and packets 2 KB or larger.

Remediation

Install update from vendor's website.

References

• https://support.f5.com/csp/article/K54336216
• https://support.f5.com/csp/article/K53183580
• https://support.f5.com/csp/article/K92002212