SB2019070312 - Multiple vulnerabilities in BIG-IP Analytics

Security Bulletin ID SB2019070312

Severity

Medium

Patch available

YES

Number of vulnerabilities 8

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Cryptographic issues (CVE-ID: CVE-2019-6632)

The vulnerability allows a local authenticated user to gain access to sensitive information.

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness. The attack prerequisite is direct access to encrypted configuration and/or UCS files.

2) Input validation error (CVE-ID: CVE-2019-6634)

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process. This causes issues with both iControl REST and some portions of TMUI. The attack requires an authenticated user with any role.

3) Improper access control (CVE-ID: CVE-2019-6635)

The vulnerability allows a local privileged user to manipulate data.

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, when the BIG-IP system is licensed for Appliance mode, a user with either the Administrator or the Resource Administrator role can bypass Appliance mode restrictions.

4) Resource exhaustion (CVE-ID: CVE-2019-6638)

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

On BIG-IP 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process.

5) Information disclosure (CVE-ID: CVE-2019-6640)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into various profile types and accessed using SNMPv2.

6) Cross-site scripting (CVE-ID: CVE-2019-6625)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility.

7) Cross-site scripting (CVE-ID: CVE-2019-6626)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

On BIG-IP (AFM, Analytics, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.3.4, A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the Configuration utility.

8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-6633)

The vulnerability allows a local privileged user to read and manipulate data.

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, when the BIG-IP system is licensed with Appliance mode, user accounts with Administrator and Resource Administrator roles can bypass Appliance mode restrictions.

Remediation

Install update from vendor's website.

SB2019070312 - Multiple vulnerabilities in BIG-IP Analytics

Breakdown by Severity

Description

Remediation

References

Please verify you're human