CVE-2019-6632 — Use of Insufficiently Random Values in F5 Big-ip Access Policy Manager
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 69.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 3
Latest updateMay 24
Description
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness. The attack prerequisite is direct access to encrypted configuration and/or UCS files.
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6