F5 ARX Data Manager contains a SQL injection vulnerability

Overview

F5 ARX Data Manager 3.0.0 - 3.1.0 contains a SQL injection vulnerability.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command

F5 ARX Data Manager 3.0.0 - 3.1.0 contains an unspecified SQL injection vulnerability.

---

Impact

A remote authenticated attacker may be able to run arbitrary SQL commands against the backend database.

---

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Data Manager 3.x is considered end-of-life by the vendor and will not receive a security fix.

---

Stop the Service

F5 recommends stopping the Data Manager Service when not in use to mitigate this vulnerability. F5’s SOL15310 document explains how to disable the service.

---

Vendor Information

210884

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

F5 Networks, Inc. Affected

Notified: May 14, 2014 Updated: June 17, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html?sr=38021626&gt;

CVSS Metrics

Group	Score	Vector
Base	5.5	AV:N/AC:L/Au:S/C:P/I:P/A:N
Temporal	5.2	E:F/RL:U/RC:C
Environmental	1.4	CDP:L/TD:L/CR:M/IR:M/AR:L

References

• <http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html?sr=38021626&gt;
• <http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14791.html&gt;
• <http://cwe.mitre.org/data/definitions/89.html&gt;

Acknowledgements

Thanks to Andrea Micalizzi (rgod) working with HP’s Zero Day Initiative for reporting this vulnerability to F5.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2014-2949
Date Public:	2014-06-06 Date First Published: