Vulnerability Name:

CVE-2019-6634 (CCN-164382)

Assigned:2019-07-01
Published:2019-07-01
Updated:2020-08-24
Summary:On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process. This causes issues with both iControl REST and some portions of TMUI. The attack requires an authenticated user with any role.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-6634

Source: BID
Type: Third Party Advisory, VDB Entry
109104

Source: XF
Type: UNKNOWN
f5-cve20196634-dos(164382)

Source: CCN
Type: F5 Security Advisory K64855220
F5 TMUI and iControl Rest vulnerability CVE-2019-6634

Source: CONFIRM
Type: Vendor Advisory
https://support.f5.com/csp/article/K64855220

Vulnerable Configuration:Configuration 1:
  • cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 2:
  • cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 3:
  • cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 4:
  • cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 5:
  • cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 6:
  • cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 7:
  • cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 8:
  • cpe:/a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 9:
  • cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 10:
  • cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 11:
  • cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 12:
  • cpe:/a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 13:
  • cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration CCN 1:
  • cpe:/a:f5:big-ip:12.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip:13.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip:14.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip:14.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip:12.1.4:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    f5 big-ip local traffic manager *
    f5 big-ip local traffic manager *
    f5 big-ip local traffic manager *
    f5 big-ip local traffic manager *
    f5 big-ip application acceleration manager *
    f5 big-ip application acceleration manager *
    f5 big-ip application acceleration manager *
    f5 big-ip application acceleration manager *
    f5 big-ip advanced firewall manager *
    f5 big-ip advanced firewall manager *
    f5 big-ip advanced firewall manager *
    f5 big-ip advanced firewall manager *
    f5 big-ip analytics *
    f5 big-ip analytics *
    f5 big-ip analytics *
    f5 big-ip analytics *
    f5 big-ip access policy manager *
    f5 big-ip access policy manager *
    f5 big-ip access policy manager *
    f5 big-ip access policy manager *
    f5 big-ip application security manager *
    f5 big-ip application security manager *
    f5 big-ip application security manager *
    f5 big-ip application security manager *
    f5 big-ip domain name system *
    f5 big-ip domain name system *
    f5 big-ip domain name system *
    f5 big-ip domain name system *
    f5 big-ip edge gateway *
    f5 big-ip edge gateway *
    f5 big-ip edge gateway *
    f5 big-ip edge gateway *
    f5 big-ip global traffic manager *
    f5 big-ip global traffic manager *
    f5 big-ip global traffic manager *
    f5 big-ip global traffic manager *
    f5 big-ip link controller *
    f5 big-ip link controller *
    f5 big-ip link controller *
    f5 big-ip link controller *
    f5 big-ip policy enforcement manager *
    f5 big-ip policy enforcement manager *
    f5 big-ip policy enforcement manager *
    f5 big-ip policy enforcement manager *
    f5 big-ip webaccelerator *
    f5 big-ip webaccelerator *
    f5 big-ip webaccelerator *
    f5 big-ip webaccelerator *
    f5 big-ip fraud protection service *
    f5 big-ip fraud protection service *
    f5 big-ip fraud protection service *
    f5 big-ip fraud protection service *
    f5 big-ip 12.1.0
    f5 big-ip 13.0.0
    f5 big-ip 13.1.1
    f5 big-ip 14.0.0
    f5 big-ip 14.1.0
    f5 big-ip 12.1.4