var-201907-0143
Vulnerability from variot
On BIG-IP (ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated user with role of "Guest" or greater privilege. Note: "No Access" cannot login so technically it's a role but a user with this access role cannot perform the attack. BIG-IP (ASM) Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP ASM is prone to a denial-of-service vulnerability. F5 BIG-IP Application Security Manager (ASM) is a Web Application Firewall (WAF) of F5 Corporation in the United States, which provides secure remote access, protects email, simplifies Web access control, and enhances network and application performance. An attacker can exploit this vulnerability to consume a large amount of memory and terminate arbitrary processes. The following products and versions are affected: F5 BIG-IP ASM version 14.1.0 to 14.1.0.5, 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4 Version
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201907-0143", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "big-ip application security manager", scope: "gte", trust: 1, vendor: "f5", version: "14.1.0", }, { model: "big-ip application security manager", scope: "lt", trust: 1, vendor: "f5", version: "13.1.1.5", }, { model: "big-ip application security manager", scope: "lt", trust: 1, vendor: "f5", version: "12.1.4.1", }, { model: "big-ip application security manager", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "big-ip application security manager", scope: "lt", trust: 1, vendor: "f5", version: "14.1.0.6", }, { model: "big-ip application security manager", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "big-ip application security manager", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "big-ip application security manager", scope: "lt", trust: 1, vendor: "f5", version: "14.0.0.5", }, { model: "big-ip application security manager", scope: "eq", trust: 0.8, vendor: "f5", version: "12.1.0 to 12.1.4", }, { model: "big-ip application security manager", scope: "eq", trust: 0.8, vendor: "f5", version: "13.0.0 to 13.1.1.4", }, { model: "big-ip application security manager", scope: "eq", trust: 0.8, vendor: "f5", version: "14.0.0 to 14.0.0.4", }, { model: "big-ip application security manager", scope: "eq", trust: 0.8, vendor: "f5", version: "14.1.0 to 14.1.0.5", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "14.1", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "14.0", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "13.1.1", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "13.1", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "13.0.1", }, { model: "big-ip asm hf3", scope: "eq", trust: 0.3, vendor: "f5", version: "13.0", }, { model: "big-ip asm hf2", scope: "eq", trust: 0.3, vendor: "f5", version: "13.0", }, { model: "big-ip asm hf1", scope: "eq", trust: 0.3, vendor: "f5", version: "13.0", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "13.0", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "12.1.4", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "12.1.3", }, { model: "big-ip asm hf2", scope: "eq", trust: 0.3, vendor: "f5", version: "12.1.2", }, { model: "big-ip asm hf1", scope: "eq", trust: 0.3, vendor: "f5", version: "12.1.2", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "12.1.2", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "13.1.0.8", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "13.1.0.6", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "13.1.0.5", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "13.1.0.4", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "13.1.0.2", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "12.1.3.7", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "12.1.3.6", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "12.1.3.4", }, { model: "big-ip asm", scope: "eq", trust: 0.3, vendor: "f5", version: "12.1.3.2", }, { model: "big-ip asm", scope: "ne", trust: 0.3, vendor: "f5", version: "14.1.0.6", }, { model: "big-ip asm", scope: "ne", trust: 0.3, vendor: "f5", version: "14.0.0.5", }, { model: "big-ip asm", scope: "ne", trust: 0.3, vendor: "f5", version: "13.1.1.5", }, { model: "big-ip asm", scope: "ne", trust: 0.3, vendor: "f5", version: "12.1.4.1", }, ], sources: [ { db: "BID", id: "109091", }, { db: "JVNDB", id: "JVNDB-2019-006207", }, { db: "NVD", id: "CVE-2019-6637", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "13.1.1.5", versionStartIncluding: "13.0.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "14.0.0.5", versionStartIncluding: "14.0.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "14.1.0.6", versionStartIncluding: "14.1.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "12.1.4.1", versionStartIncluding: "12.1.0", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "NVD", id: "CVE-2019-6637", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "The vendor reported this issue.", sources: [ { db: "BID", id: "109091", }, ], trust: 0.3, }, cve: "CVE-2019-6637", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { acInsufInfo: false, accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", author: "NVD", availabilityImpact: "PARTIAL", baseScore: 4, confidentialityImpact: "NONE", exploitabilityScore: 8, impactScore: 2.9, integrityImpact: "NONE", obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", trust: 1, userInteractionRequired: false, vectorString: "AV:N/AC:L/Au:S/C:N/I:N/A:P", version: "2.0", }, { acInsufInfo: null, accessComplexity: "Low", accessVector: "Network", authentication: "Single", author: "NVD", availabilityImpact: "Partial", baseScore: 4, confidentialityImpact: "None", exploitabilityScore: null, id: "CVE-2019-6637", impactScore: null, integrityImpact: "None", obtainAllPrivilege: null, obtainOtherPrivilege: null, obtainUserPrivilege: null, severity: "Medium", trust: 0.8, userInteractionRequired: null, vectorString: "AV:N/AC:L/Au:S/C:N/I:N/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 4, confidentialityImpact: "NONE", exploitabilityScore: 8, id: "VHN-158072", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:L/AU:S/C:N/I:N/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "NVD", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", exploitabilityScore: 2.8, impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "High", baseScore: 6.5, baseSeverity: "Medium", confidentialityImpact: "None", exploitabilityScore: null, id: "CVE-2019-6637", impactScore: null, integrityImpact: "None", privilegesRequired: "Low", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, ], severity: [ { author: "NVD", id: "CVE-2019-6637", trust: 1.8, value: "MEDIUM", }, { author: "CNNVD", id: "CNNVD-201907-050", trust: 0.6, value: "MEDIUM", }, { author: "VULHUB", id: "VHN-158072", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-158072", }, { db: "JVNDB", id: "JVNDB-2019-006207", }, { db: "NVD", id: "CVE-2019-6637", }, { db: "CNNVD", id: "CNNVD-201907-050", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "On BIG-IP (ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated user with role of \"Guest\" or greater privilege. Note: \"No Access\" cannot login so technically it's a role but a user with this access role cannot perform the attack. BIG-IP (ASM) Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP ASM is prone to a denial-of-service vulnerability. F5 BIG-IP Application Security Manager (ASM) is a Web Application Firewall (WAF) of F5 Corporation in the United States, which provides secure remote access, protects email, simplifies Web access control, and enhances network and application performance. An attacker can exploit this vulnerability to consume a large amount of memory and terminate arbitrary processes. The following products and versions are affected: F5 BIG-IP ASM version 14.1.0 to 14.1.0.5, 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4 Version", sources: [ { db: "NVD", id: "CVE-2019-6637", }, { db: "JVNDB", id: "JVNDB-2019-006207", }, { db: "BID", id: "109091", }, { db: "VULHUB", id: "VHN-158072", }, ], trust: 1.98, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2019-6637", trust: 2.8, }, { db: "BID", id: "109091", trust: 2, }, { db: "JVNDB", id: "JVNDB-2019-006207", trust: 0.8, }, { db: "CNNVD", id: "CNNVD-201907-050", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2019.2408", trust: 0.6, }, { db: "VULHUB", id: "VHN-158072", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-158072", }, { db: "BID", id: "109091", }, { db: "JVNDB", id: "JVNDB-2019-006207", }, { db: "NVD", id: "CVE-2019-6637", }, { db: "CNNVD", id: "CNNVD-201907-050", }, ], }, id: "VAR-201907-0143", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-158072", }, ], trust: 0.55944443, }, last_update_date: "2023-12-18T12:17:55.482000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "K29149494", trust: 0.8, url: "https://support.f5.com/csp/article/k29149494", }, { title: "F5 BIG-IP Security vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=94286", }, ], sources: [ { db: "JVNDB", id: "JVNDB-2019-006207", }, { db: "CNNVD", id: "CNNVD-201907-050", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "NVD-CWE-noinfo", trust: 1, }, { problemtype: "CWE-400", trust: 0.9, }, ], sources: [ { db: "VULHUB", id: "VHN-158072", }, { db: "JVNDB", id: "JVNDB-2019-006207", }, { db: "NVD", id: "CVE-2019-6637", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2, url: "https://support.f5.com/csp/article/k29149494", }, { trust: 1.7, url: "http://www.securityfocus.com/bid/109091", }, { trust: 1.4, url: "https://nvd.nist.gov/vuln/detail/cve-2019-6637", }, { trust: 0.9, url: "http://www.f5.com/products/big-ip/", }, { trust: 0.8, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6637", }, { trust: 0.6, url: "https://support.f5.com/csp/article/k44885536", }, { trust: 0.6, url: "https://support.f5.com/csp/article/k20445457", }, { trust: 0.6, url: "https://support.f5.com/csp/article/k67825238", }, { trust: 0.6, url: "https://support.f5.com/csp/article/k79902360", }, { trust: 0.6, url: "https://support.f5.com/csp/article/k20541896", }, { trust: 0.6, url: "https://support.f5.com/csp/article/k22384173", }, { trust: 0.6, url: "https://support.f5.com/csp/article/k68151373", }, { trust: 0.6, url: "https://support.f5.com/csp/article/k00432398", }, { trust: 0.6, url: "https://support.f5.com/csp/article/k64855220", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-29665", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.2408/", }, ], sources: [ { db: "VULHUB", id: "VHN-158072", }, { db: "BID", id: "109091", }, { db: "JVNDB", id: "JVNDB-2019-006207", }, { db: "NVD", id: "CVE-2019-6637", }, { db: "CNNVD", id: "CNNVD-201907-050", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-158072", }, { db: "BID", id: "109091", }, { db: "JVNDB", id: "JVNDB-2019-006207", }, { db: "NVD", id: "CVE-2019-6637", }, { db: "CNNVD", id: "CNNVD-201907-050", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2019-07-03T00:00:00", db: "VULHUB", id: "VHN-158072", }, { date: "2019-07-02T00:00:00", db: "BID", id: "109091", }, { date: "2019-07-12T00:00:00", db: "JVNDB", id: "JVNDB-2019-006207", }, { date: "2019-07-03T19:15:13.220000", db: "NVD", id: "CVE-2019-6637", }, { date: "2019-07-02T00:00:00", db: "CNNVD", id: "CNNVD-201907-050", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-08-24T00:00:00", db: "VULHUB", id: "VHN-158072", }, { date: "2019-07-02T00:00:00", db: "BID", id: "109091", }, { date: "2019-07-12T00:00:00", db: "JVNDB", id: "JVNDB-2019-006207", }, { date: "2020-08-24T17:37:01.140000", db: "NVD", id: "CVE-2019-6637", }, { date: "2020-08-25T00:00:00", db: "CNNVD", id: "CNNVD-201907-050", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-201907-050", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "BIG-IP Vulnerable to resource exhaustion", sources: [ { db: "JVNDB", id: "JVNDB-2019-006207", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "resource management error", sources: [ { db: "CNNVD", id: "CNNVD-201907-050", }, ], trust: 0.6, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.