CVE-2017-6153 — Uncontrolled Resource Consumption in F5 Big-ip Domain Name System

CWE-400 — Uncontrolled Resource Consumption CWE-20 — Improper Input Validation CWE-300 — Channel Accessible by Non-Endpoint CWE-295 — Improper Certificate Validation12 documents8 sources

Severity

5.3MEDIUMNVD

GHSA4.3

EPSS

0.6%

top 30.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager F5 Big-ip Analytics +10 more

Timeline

PublishedJun 1

Latest updateMay 14

Description

Features in F5 BIG-IP 13.0.0-13.1.0.3, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 system that utilizes inflate functionality directly, via an iRule, or via the inflate code from PEM module are subjected to a service disruption via a "Zip Bomb" attack.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages13 packages

▶NVDf5/big-ip_domain_name_system11.5.1 — 11.5.5+5

▶NVDf5/big-ip_fraud_protection_service11.5.1 — 11.5.5+5

▶NVDf5/big-ip_analytics11.5.1 — 11.5.5+5

▶NVDf5/big-ip_edge_gateway11.5.1 — 11.5.5+5

▶NVDf5/big-ip_webaccelerator11.5.1 — 11.5.5+5

🔴Vulnerability Details

GHSA

Jenkins Swarm Plugin Client vulnerable to man-in-the-middle attacks↗2022-05-14

▶

GHSA

MitM on Jenkins Maven Plugin↗2022-05-14

▶

GHSA

Improper Certificate Validation in Jenkins↗2022-05-14

▶

GHSA

GHSA-3r5p-5q8f-23jv: Features in F5 BIG-IP 13↗2022-05-13

▶

CVEList

CVE-2017-6153: Features in F5 BIG-IP 13↗2018-06-01

▶

📋Vendor Advisories

CVE-2017-6153: Features in F5 BIG-IP 13↗2018-06-01

▶

Red Hat

jenkins: Jenkins core bundled vulnerable version of the commons-httpclient library (SECURITY-555)↗2017-10-11

▶

Red Hat

jenkins-pugin-swarm: Swarm Plugin Client bundled vulnerable version of the commons-httpclient library (SECURITY-597)↗2017-10-11

▶

💬Community

Bugzilla

CVE-2017-1000402 jenkins-pugin-swarm: Swarm Plugin Client bundled vulnerable version of the commons-httpclient library (SECURITY-597)↗2017-10-13

▶

Bugzilla

CVE-2017-1000396 jenkins: Jenkins core bundled vulnerable version of the commons-httpclient library (SECURITY-555)↗2017-10-13

▶

External resources

NVD MITRE

Affected products13

F5 Big-ip Access Policy Manager≥ 11.5.1, ≤ 11.5.5≥ 11.6.1, ≤ 11.6.3≥ 12.1.0, ≤ 12.1.3+3 more

F5 Big-ip Advanced Firewall Manager≥ 11.5.1, ≤ 11.5.5≥ 11.6.1, ≤ 11.6.3≥ 12.1.0, ≤ 12.1.3+3 more

F5 Big-ip Analytics≥ 11.5.1, ≤ 11.5.5≥ 11.6.1, ≤ 11.6.3≥ 12.1.0, ≤ 12.1.3+3 more

F5 Big-ip Application Acceleration Manager≥ 11.5.1, ≤ 11.5.5≥ 11.6.1, ≤ 11.6.3≥ 12.1.0, ≤ 12.1.3+3 more

F5 Big-ip Application Security Manager≥ 11.5.1, ≤ 11.5.5≥ 11.6.1, ≤ 11.6.3≥ 12.1.0, ≤ 12.1.3+3 more

F5 Big-ip Domain Name System≥ 11.5.1, ≤ 11.5.5≥ 11.6.1, ≤ 11.6.3≥ 12.1.0, ≤ 12.1.3+3 more

F5 Big-ip Edge Gateway≥ 11.5.1, ≤ 11.5.5≥ 11.6.1, ≤ 11.6.3≥ 12.1.0, ≤ 12.1.3+3 more

F5 Big-ip Fraud Protection Service≥ 11.5.1, ≤ 11.5.5≥ 11.6.1, ≤ 11.6.3≥ 12.1.0, ≤ 12.1.3+3 more

F5 Big-ip Global Traffic Manager≥ 11.5.1, ≤ 11.5.5≥ 11.6.1, ≤ 11.6.3≥ 12.1.0, ≤ 12.1.3+3 more

F5 Big-ip Link Controller≥ 11.5.1, ≤ 11.5.5≥ 11.6.1, ≤ 11.6.3≥ 12.1.0, ≤ 12.1.3+3 more

Disclosure

PublishedJun 1, 2018

Latest updateMay 14, 2022