Cryptographic issues in BIG-IP Analytics - CVE-2019-6632
Published: July 3, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU31025
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-6632
CWE-ID: CWE-310
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: F5 Networks
Affected software:
BIG-IP Analytics
BIG-IP Analytics
Detailed vulnerability description
The vulnerability allows a local authenticated user to gain access to sensitive information.
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness. The attack prerequisite is direct access to encrypted configuration and/or UCS files.
How to mitigate CVE-2019-6632
Install update from vendor's website.