F5 Big-Ip Asm vulnerabilities

CVE-2019-6664 [HIGH] CVE-2019-6664: On BIG-IP 15 CVE-2019-6664: On BIG-IP 15 On BIG-IP 15.0.0 and 14.1.0-14.1.0.6, under certain conditions, network protections on the management port do not follow current best practices. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebAccelerator Affected Versions: 14.1.0 - 14.1.2; 15.0.0 F5 Advisory Articles:

CVE-2019-6660 [HIGH] CWE-400 CVE-2019-6660: On BIG-IP 14 CVE-2019-6660: On BIG-IP 14 On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources which may lead to a denial of service. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebAccelerator Affected Versions: 13.1.0

CVE-2019-6662 [MEDIUM] CWE-532 CVE-2019-6662: On BIG-IP 13 CVE-2019-6662: On BIG-IP 13 On BIG-IP 13.1.0-13.1.1.4, sensitive information is logged into the local log files and/or remote logging targets when restjavad processes an invalid request. Users with access to the log files would be able to view that data. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP

CVE-2019-6663 [MEDIUM] CWE-20 CVE-2019-6663: The BIG-IP 15 CVE-2019-6663: The BIG-IP 15 The BIG-IP 15.0.0-15.0.1, 14.0.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.1-11.6.5.1, BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1 configuration utility is vulnerable to Anti DNS Pinning (DNS Rebinding) attack. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BI

CVE-2019-6657 [MEDIUM] CWE-79 CVE-2019-6657: On BIG-IP 13 CVE-2019-6657: On BIG-IP 13 On BIG-IP 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the BIG-IP Configuration utility. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP L

CVE-2019-6655 [MEDIUM] CVE-2019-6655: On versions 13 CVE-2019-6655: On versions 13 On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5.1-11.5.9, BIG-IP platforms where AVR, ASM, APM, PEM, AFM, and/or AAM is provisioned may leak sensitive data. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP PEM Affected Versions: 11.5.2 - 11.5.9; 11.6.1 - 11.6.4; 12.1.0 - 12.1.4.1; 13.0.0 - 13.1.0.1 F5 Advisory Articles: K31152411 F5 References: htt

CVE-2019-6654 [MEDIUM] CWE-20 CVE-2019-6654: On versions 14 CVE-2019-6654: On versions 14 On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on an adjacent system to force BIG-IP into processing packets with spoofed source addresses. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BI

CVE-2019-6651 [MEDIUM] CWE-203 CVE-2019-6651: In BIG-IP 15 CVE-2019-6651: In BIG-IP 15 In BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.5.1-11.6.4, BIG-IQ 7.0.0, 6.0.0-6.1.0,5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, the Configuration utility login page may not follow best security practices when handling a malicious request. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gate

CVE-2019-6649 [CRITICAL] CVE-2019-6649: F5 BIG-IP 15 CVE-2019-6649: F5 BIG-IP 15 F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM,

CVE-2019-6650 [CRITICAL] CVE-2019-6650: F5 BIG-IP ASM 15 CVE-2019-6650: F5 BIG-IP ASM 15 F5 BIG-IP ASM 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 may expose sensitive information and allow the system configuration to be modified when using non-default settings. Affected Products: BIG-IP ASM Affected Versions: 11.5.2 - 11.5.9; 11.6.1 - 11.6.4; 12.1.0 - 12.1.4; 13.1.0 - 13.1.1; 14.0.0; 14.1.0; 15.0.0 F5 Advisory Articles: K0428004

CVE-2019-6644 [HIGH] CVE-2019-6644: Similar to the issue identified in CVE-2018-12120, on versions 14 CVE-2019-6644: Similar to the issue identified in CVE-2018-12120, on versions 14 Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the port is accessible.

CVE-2019-6646 [HIGH] CVE-2019-6646: On BIG-IP 11 CVE-2019-6646: On BIG-IP 11 On BIG-IP 11.5.2-11.6.4 and Enterprise Manager 3.1.1, REST users with guest privileges may be able to escalate their privileges and run commands with admin privileges. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebAccelerator, Enterprise Manager Affected Versions: 11

CVE-2019-6645 [HIGH] CVE-2019-6645: On BIG-IP 14 CVE-2019-6645: On BIG-IP 14 On BIG-IP 14.0.0-14.1.0.5, 13.0.0-13.1.2, 12.1.0-12.1.4.1, 11.5.2-11.6.4, FTP traffic passing through a Virtual Server with both an active FTP profile associated and connection mirroring configured may lead to a TMM crash causing the configured HA action to be taken. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM,

CVE-2019-6643 [HIGH] CVE-2019-6643: On versions 14 CVE-2019-6643: On versions 14 On versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12.1.4.1, and 11.5.2-11.6.4, an attacker sending specifically crafted DHCPv6 requests through a BIG-IP virtual server configured with a DHCPv6 profile may be able to cause the TMM process to produce a core file. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP

CVE-2019-6647 [MEDIUM] CWE-401 CVE-2019-6647: On BIG-IP 14 CVE-2019-6647: On BIG-IP 14 On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12.1.4.1, 11.5.2-11.6.4, when processing authentication attempts for control-plane users MCPD leaks a small amount of memory. Under rare conditions attackers with access to the management interface could eventually deplete memory on the system. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG

CVE-2019-6631 [HIGH] CVE-2019-6631: On BIG-IP 11 CVE-2019-6631: On BIG-IP 11 On BIG-IP 11.5.1-11.6.4, iRules performing HTTP header manipulation may cause an interruption to service when processing traffic handled by a Virtual Server with an associated HTTP profile, in specific circumstances, when the requests do not strictly conform to RFCs. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP GTM, BIG-IP LTM, BIG-IP Link

CVE-2019-6636 [HIGH] CWE-352 CVE-2019-6636: On BIG-IP (AFM, ASM) 14 CVE-2019-6636: On BIG-IP (AFM, ASM) 14 On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. The level of user role which can perform this attack are resource administrator and administrator. Affected Products: BIG-IP

CVE-2019-6629 [HIGH] CVE-2019-6629: On BIG-IP 14 CVE-2019-6629: On BIG-IP 14 On BIG-IP 14.1.0-14.1.0.5, undisclosed SSL traffic to a virtual server configured with a Client SSL profile may cause TMM to fail and restart. The Client SSL profile must have session tickets enabled and use DHE cipher suites to be affected. This only impacts the data plane, there is no impact to the control plane. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP

CVE-2019-6635 [MEDIUM] CVE-2019-6635: On BIG-IP 14 CVE-2019-6635: On BIG-IP 14 On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, when the BIG-IP system is licensed for Appliance mode, a user with either the Administrator or the Resource Administrator role can bypass Appliance mode restrictions. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM

CVE-2019-6634 [MEDIUM] CVE-2019-6634: On BIG-IP 14 CVE-2019-6634: On BIG-IP 14 On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process. This causes issues with both iControl REST and some portions of TMUI. The attack requires an authenticated user with any role. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway