Details of VAR-201803-1076

ID

VAR-201803-1076

CVE

CVE-2017-6154

TITLE

BIG-IP ASM Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012784

DESCRIPTION

On F5 BIG-IP systems running 13.0.0, 12.1.0 - 12.1.3.1, or 11.6.1 - 11.6.2, the BIG-IP ASM bd daemon may core dump memory under some circumstances when processing undisclosed types of data on systems with 48 or more CPU cores. BIG-IP ASM Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5BIG-IPASM (ApplicationSecurityManager) is a Web Application Firewall (WAF) from F5 Corporation of the United States that provides secure remote access, secure email protection, and simplified Web access control while enhancing network and application performance. There is a security hole in F5BIG-IPASM. An attacker could exploit this vulnerability to interrupt traffic processing and perform failover. F5 BIG-IP ASM is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the application resulting in denial-of-service conditions

Trust: 2.52

sources: NVD: CVE-2017-6154 // JVNDB: JVNDB-2017-012784 // CNVD: CNVD-2018-04644 // BID: 103233 // VULHUB: VHN-114357

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-04644

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	13.0.0	Trust: 1.6
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.3.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.0.0	Trust: 0.6
vendor:	f5	model:	big-ip asm	scope:	gte	version:	12.1.0,<=12.1.3.1	Trust: 0.6
vendor:	f5	model:	big-ip asm	scope:	gte	version:	11.6.1<=11.6.2	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.1.1	Trust: 0.6
vendor:	f5	model:	big-ip asm hf3	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.3	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	12.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	12.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf4	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip asm build	scope:	eq	version:	12.01.14.628	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf3	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	11.6.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	12.1.3.2	Trust: 0.3

sources: CNVD: CNVD-2018-04644 // BID: 103233 // JVNDB: JVNDB-2017-012784 // CNNVD: CNNVD-201803-038 // NVD: CVE-2017-6154

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6154
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-6154
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-04644
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201803-038
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114357
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-6154
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-04644
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-114357
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6154
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-04644 // VULHUB: VHN-114357 // JVNDB: JVNDB-2017-012784 // CNNVD: CNNVD-201803-038 // NVD: CVE-2017-6154

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-114357 // JVNDB: JVNDB-2017-012784 // NVD: CVE-2017-6154

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-038

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201803-038

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012784

PATCH

title:	K38243073	url:	https://support.f5.com/csp/article/K38243073	Trust: 0.8
title:	F5BIG-IPASM has an unexplained patch	url:	https://www.cnvd.org.cn/patchInfo/show/120471	Trust: 0.6
title:	F5 BIG-IP ASM Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78833	Trust: 0.6

sources: CNVD: CNVD-2018-04644 // JVNDB: JVNDB-2017-012784 // CNNVD: CNNVD-201803-038

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6154	Trust: 3.4
db:	BID	id:	103233	Trust: 1.4
db:	JVNDB	id:	JVNDB-2017-012784	Trust: 0.8
db:	CNVD	id:	CNVD-2018-04644	Trust: 0.6
db:	NSFOCUS	id:	39048	Trust: 0.6
db:	CNNVD	id:	CNNVD-201803-038	Trust: 0.6
db:	VULHUB	id:	VHN-114357	Trust: 0.1

sources: CNVD: CNVD-2018-04644 // VULHUB: VHN-114357 // BID: 103233 // JVNDB: JVNDB-2017-012784 // CNNVD: CNNVD-201803-038 // NVD: CVE-2017-6154

REFERENCES

url:	https://support.f5.com/csp/article/k38243073	Trust: 2.6
url:	http://www.securityfocus.com/bid/103233	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6154	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6154	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/39048	Trust: 0.6
url:	http://www.f5.com/products/big-ip/	Trust: 0.3

sources: CNVD: CNVD-2018-04644 // VULHUB: VHN-114357 // BID: 103233 // JVNDB: JVNDB-2017-012784 // CNNVD: CNNVD-201803-038 // NVD: CVE-2017-6154

CREDITS

The vendor reported the issue.

Trust: 0.3

sources: BID: 103233

SOURCES

db:	CNVD	id:	CNVD-2018-04644
db:	VULHUB	id:	VHN-114357
db:	BID	id:	103233
db:	JVNDB	id:	JVNDB-2017-012784
db:	CNNVD	id:	CNNVD-201803-038
db:	NVD	id:	CVE-2017-6154

LAST UPDATE DATE

2024-11-23T21:39:33.118000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-04644	date:	2018-03-08T00:00:00
db:	VULHUB	id:	VHN-114357	date:	2018-03-23T00:00:00
db:	BID	id:	103233	date:	2018-03-01T00:00:00
db:	JVNDB	id:	JVNDB-2017-012784	date:	2018-04-16T00:00:00
db:	CNNVD	id:	CNNVD-201803-038	date:	2018-03-05T00:00:00
db:	NVD	id:	CVE-2017-6154	date:	2024-11-21T03:29:09.370

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-04644	date:	2018-03-08T00:00:00
db:	VULHUB	id:	VHN-114357	date:	2018-03-01T00:00:00
db:	BID	id:	103233	date:	2018-03-01T00:00:00
db:	JVNDB	id:	JVNDB-2017-012784	date:	2018-04-16T00:00:00
db:	CNNVD	id:	CNNVD-201803-038	date:	2018-03-05T00:00:00
db:	NVD	id:	CVE-2017-6154	date:	2018-03-01T16:29:00.293