Input validation error in BIG-IP Analytics - CVE-2019-6634
Published: July 3, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU31026
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-6634
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: F5 Networks
Affected software:
BIG-IP Analytics
BIG-IP Analytics
Detailed vulnerability description
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process. This causes issues with both iControl REST and some portions of TMUI. The attack requires an authenticated user with any role.
How to mitigate CVE-2019-6634
Install update from vendor's website.