K29149494 : iControl REST vulnerability CVE-2019-6637

2019-07-0100:00:00

my.f5.com

0.001 Low

EPSS

Percentile

28.6%

JSON

Security Advisory Description

Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated user with role of “Guest” or greater privilege. Note: “No Access” cannot login so technically it’s a role but a user with this access role cannot perform the attack. (CVE-2019-6637)

Impact

BIG-IP ASM

When the vulnerability is exploited, the affected BIG-IP ASM system may experience excessive memory consumption to the point where the Linux kernel triggers OOM killer, resulting in a possible denial-of-service (DoS).

BIG-IP (LTM, AAM, AFM, Analytics, APM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) / BIG-IQ / Enterprise Manager / F5 iWorkflow / Traffix SDC

There is no impact; these F5 products are not affected by this vulnerability.

CPENameOperatorVersion
big-iq centralized managementeq5.1.0
big-iq centralized managementeq5.2.0
big-iq centralized managementeq5.3.0
big-iq centralized managementeq5.4.0
big-iq centralized managementeq6.0.0
big-iq centralized managementeq6.0.1
big-iq centralized managementeq6.1.0
big-ip afmeq11.5.2
big-ip afmeq11.5.3
big-ip afmeq11.5.4

Name	Operator	Version
big-iq centralized management	eq	5.1.0
big-iq centralized management	eq	5.2.0
big-iq centralized management	eq	5.3.0
big-iq centralized management	eq	5.4.0
big-iq centralized management	eq	6.0.0
big-iq centralized management	eq	6.0.1
big-iq centralized management	eq	6.1.0
big-ip afm	eq	11.5.2
big-ip afm	eq	11.5.3
big-ip afm	eq	11.5.4

Rows per page:

1-10 of 2341

0.001 Low

EPSS

Percentile

28.6%

JSON

Related for F5:K29149494