F5 Big-Ip Asm vulnerabilities

CVE-2019-6618 [MEDIUM] CVE-2019-6618: On BIG-IP 14 CVE-2019-6618: On BIG-IP 14 On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, users with the Resource Administrator role can modify sensitive portions of the filesystem if provided Advanced Shell Access, such as editing /etc/passwd. This allows modifications to user objects and is contrary to our definition for the Resource Administrator (RA) role restrictions. Affected Products: BIG-IP AAM, BIG-IP

CVE-2019-6613 [MEDIUM] CWE-319 CVE-2019-6613: On BIG-IP 13 CVE-2019-6613: On BIG-IP 13 On BIG-IP 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, SNMP may expose sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is used with various profile types and is accessed using SNMPv2. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, B

CVE-2019-6617 [MEDIUM] CWE-269 CVE-2019-6617: On BIG-IP 14 CVE-2019-6617: On BIG-IP 14 On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, a user with the Resource Administrator role is able to overwrite sensitive low-level files (such as /etc/passwd) using SFTP to modify user permissions, without Advanced Shell access. This is contrary to our definition for the Resource Administrator (RA) role restrictions. Affected Products: BIG-IP AAM, BIG-IP AFM,

CVE-2019-6609 [CRITICAL] CWE-522 CVE-2019-6609: Platform dependent weakness CVE-2019-6609: Platform dependent weakness Platform dependent weakness. This issue only impacts iSeries platforms. On these platforms, in BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 14.0.0-14.1.0.1, 13.0.0-13.1.1.3, and 12.1.1 HF2-12.1.4, the secureKeyCapable attribute was not set which causes secure vault to not use the F5 hardware support to s

CVE-2019-6605 [HIGH] CVE-2019-6605: On BIG-IP 11 CVE-2019-6605: On BIG-IP 11 On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, and 12.0.x, an undisclosed sequence of packets received by an SSL virtual server and processed by an associated Client SSL or Server SSL profile may cause a denial of service. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebAccelerator, Big-

CVE-2019-6603 [HIGH] CVE-2019-6603: In BIG-IP 11 CVE-2019-6603: In BIG-IP 11 In BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, and 13.0.0-13.0.1, malformed TCP packets sent to a self IP address or a FastL4 virtual server may cause an interruption of service. The control plane is not exposed to this issue. This issue impacts the data plane virtual servers and self IPs. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP Edge Gateway, BIG-IP FPS, BIG-

CVE-2019-6602 [HIGH] CWE-203 CVE-2019-6602: In BIG-IP 11 CVE-2019-6602: In BIG-IP 11 In BIG-IP 11.5.1-11.5.8 and 11.6.1-11.6.3, the Configuration Utility login page may not follow best security practices when handling a malicious request. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebAccelerator Affected Versions: 11.5.1 - 11.5.8; 11.6.1 - 11

CVE-2019-6607 [MEDIUM] CWE-352 CVE-2019-6607: On BIG-IP ASM 11 CVE-2019-6607: On BIG-IP ASM 11 On BIG-IP ASM 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, there is a stored cross-site scripting vulnerability in an ASM violation viewed in the Configuration utility. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. Affected Products: BIG-IP ASM Affected Versions: 11.5.1 - 11.5.8; 11.6.1 - 11.6.3; 12.1.0 - 12.1.

CVE-2019-6606 [MEDIUM] CWE-401 CVE-2019-6606: On BIG-IP 11 CVE-2019-6606: On BIG-IP 11 On BIG-IP 11.5.1-11.6.3.4, 12.1.0-12.1.3.7, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, when processing certain SNMP requests with a request-id of 0, the snmpd process may leak a small amount of memory. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebAccelerator, Big-Ip Protoc

CVE-2019-6604 [MEDIUM] CVE-2019-6604: On BIG-IP 11 CVE-2019-6604: On BIG-IP 11 On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3.6, 13.0.0-13.1.1.1, and 14.0.0-14.0.0.2, under certain conditions, hardware systems with a High-Speed Bridge and using non-default Layer 2 forwarding configurations may experience a lockup of the High-Speed Bridge. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP L

CVE-2019-6608 [MEDIUM] CWE-401 CVE-2019-6608: On BIG-IP 11 CVE-2019-6608: On BIG-IP 11 On BIG-IP 11.5.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.1, and 14.0.0-14.0.0.2, under certain conditions, the snmpd daemon may leak memory on a multi-blade BIG-IP vCMP guest when processing authorized SNMP requests. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebAccelerat

CVE-2019-6597 [HIGH] CVE-2019-6597: In BIG-IP 13 CVE-2019-6597: In BIG-IP 13 In BIG-IP 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP

CVE-2019-6600 [MEDIUM] CWE-79 CVE-2019-6600: In BIG-IP 14 CVE-2019-6600: In BIG-IP 14 In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, when remote authentication is enabled for administrative users and all external users are granted the "guest" role, unsanitized values can be reflected to the client via the login page. This can lead to a cross-site scripting attack against unauthenticated clients. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP

CVE-2019-6598 [MEDIUM] CVE-2019-6598: In BIG-IP 14 CVE-2019-6598: In BIG-IP 14 In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, malformed requests to the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, may lead to disruption of TMUI services. This attack requires an authenticated user with any role (other than the No Access role). The No Access user role cannot login and do

CVE-2019-6592 [CRITICAL] CWE-295 CVE-2019-6592: On BIG-IP 14 CVE-2019-6592: On BIG-IP 14 On BIG-IP 14.1.0-14.1.0.1, TMM may restart and produce a core file when validating SSL certificates in client SSL or server SSL profiles. Affected Products: BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebAccelerator Affected Versions: 14.1.0 - 14.1.0.1 F5 Advisory Articles: K54167061 F5

CVE-2019-6594 [MEDIUM] CWE-835 CVE-2019-6594: On BIG-IP 11 CVE-2019-6594: On BIG-IP 11 On BIG-IP 11.5.1-11.6.3.2, 12.1.3.4-12.1.3.7, 13.0.0 HF1-13.1.1.1, and 14.0.0-14.0.0.2, Multi-Path TCP (MPTCP) does not protect against multiple zero length DATA_FINs in the reassembly queue, which can lead to an infinite loop in some circumstances. Affected Products: BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Control

CVE-2019-6593 [MEDIUM] CWE-327 CVE-2019-6593: On BIG-IP 11 CVE-2019-6593: On BIG-IP 11 On BIG-IP 11.5.1-11.5.4, 11.6.1, and 12.1.0, a virtual server configured with a Client SSL profile may be vulnerable to a chosen ciphertext attack against CBC ciphers. When exploited, this may result in plaintext recovery of encrypted messages through a man-in-the-middle (MITM) attack, despite the attacker not having gained access to the server's private key itself. (CVE-2019-6593 also known as Zombie POODLE

CVE-2019-6589 [MEDIUM] CWE-79 CVE-2019-6589: On BIG-IP 14 CVE-2019-6589: On BIG-IP 14 On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, and 11.6.0-11.6.3.2, a reflected Cross Site Scripting (XSS) vulnerability is present in an undisclosed page of the BIG-IP TMUI (Traffic Management User Interface) also known as the BIG-IP configuration utility. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM

CVE-2018-15333 [MEDIUM] CWE-434 CVE-2018-15333: On versions 11 CVE-2018-15333: On versions 11 On versions 11.2.1. and greater, unrestricted Snapshot File Access allows BIG-IP system's user with any role, including Guest Role, to have access and download previously generated and available snapshot files on the BIG-IP configuration utility such as QKView and TCPDumps. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS,

CVE-2018-15330 [HIGH] CWE-20 CVE-2018-15330: On BIG-IP 14 CVE-2018-15330: On BIG-IP 14 On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, when a virtual server using the inflate functionality to process a gzip bomb as a payload, the BIG-IP system will experience a fatal error and may cause the Traffic Management Microkernel (TMM) to produce a core file. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS,