K44885536 : iControl REST vulnerability CVE-2019-6622

2019-07-0100:00:00

my.f5.com

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.4%

JSON

Security Advisory Description

Undisclosed iControl REST worker is vulnerable to command injection by an administrator or resource administrator user. This attack is only exploitable on multi-bladed systems.

The vulnerability allows bypass of Appliance mode security on BIG-IP systems by allowing the execution of arbitrary Advanced Shell (bash) commands. In systems without Appliance mode security, the administrator and resource administrator users will likely have this level of access already. F5 considers this a security concern mostly for systems deployed in Appliance mode, but it’s also a valid attack vector for users that do not already have bash access granted. For example, a resource administrator who does not already have bash access explicitly granted in the user configuration can be exploited as an attack vector. (CVE-2019-6622)

Impact

A remote attacker can exploit the vulnerability by executing arbitrary bash commands on a vulnerable multi-bladed system.

CPENameOperatorVersion
big-iq centralized managementeq4.6.0
big-iq centralized managementeq5.0.0
big-iq centralized managementeq5.1.0
big-iq centralized managementeq5.2.0
big-iq centralized managementeq5.3.0
big-iq centralized managementeq5.4.0
big-iq centralized managementeq6.0.0
big-iq centralized managementeq6.0.1
big-iq centralized managementeq6.1.0
big-ip afmeq11.5.1

Name	Operator	Version
big-iq centralized management	eq	4.6.0
big-iq centralized management	eq	5.0.0
big-iq centralized management	eq	5.1.0
big-iq centralized management	eq	5.2.0
big-iq centralized management	eq	5.3.0
big-iq centralized management	eq	5.4.0
big-iq centralized management	eq	6.0.0
big-iq centralized management	eq	6.0.1
big-iq centralized management	eq	6.1.0
big-ip afm	eq	11.5.1

Rows per page:

1-10 of 2841