K21284031 : GnuPG vulnerability CVE-2014-4617

2016-09-0100:00:00

my.f5.com

5.8 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.015 Low

EPSS

Percentile

85.5%

JSON

Security Advisory Description

The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. (CVE-2014-4617)

Impact

ARX

This vulnerability is exposed when using the Auto Diagnostics feature.

BIG-IP

GNU Privacy Guard (GnuPG) is not used in traffic processing. GnuPG is used only in administrative functions on the BIG-IP system, such as encryption of user configuration set (UCS) and single configuration files (SCF), and verification of ISOs and ASM signatures, which are not affected by this vulnerability. An authenticated (root) user with advanced shell access could upload a specially crafted file and execute** gpg** manually to trigger this vulnerability.

F5 iWorkflow, BIG-IQ, and Enterprise Manager

An authenticated user with advanced shell access could be able to exploit this vulnerability by executing** gpg** manually.

CPENameOperatorVersion
big-ip afmeq11.4.0
big-ip afmeq11.4.1
big-ip afmeq11.5.0
big-ip afmeq11.5.1
big-ip afmeq11.5.2
big-ip afmeq11.5.3
big-ip afmeq11.5.4
big-ip afmeq11.5.5
big-ip afmeq11.5.6
big-ip afmeq11.6.0

Name	Operator	Version
big-ip afm	eq	11.4.0
big-ip afm	eq	11.4.1
big-ip afm	eq	11.5.0
big-ip afm	eq	11.5.1
big-ip afm	eq	11.5.2
big-ip afm	eq	11.5.3
big-ip afm	eq	11.5.4
big-ip afm	eq	11.5.5
big-ip afm	eq	11.5.6
big-ip afm	eq	11.6.0