Details of VAR-201807-2206

ID

VAR-201807-2206

CVE

CVE-2018-5541

TITLE

F5 BIG-IP ASM Vulnerable to resource exhaustion

Trust: 0.8

sources: JVNDB: JVNDB-2018-008089

DESCRIPTION

When F5 BIG-IP ASM 13.0.0-13.1.0.1, 12.1.0-12.1.3.5, 11.6.0-11.6.3.1, or 11.5.1-11.5.6 is processing HTTP requests, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process. F5 BIG-IP ASM Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP ASM is prone to a denial-of-service vulnerability. Exploiting this issue allows remote attackers to cause a denial-of-service condition due to excessive CPU consumption. F5 BIG-IP ASM (Application Security Manager) is a Web Application Firewall (WAF) of F5 Corporation in the United States. It provides secure remote access, protects emails, simplifies Web access control, and enhances network and application performance. Attackers can use a large number of parameters to exploit this vulnerability to occupy a large amount of CPU. The following versions are affected: F5 BIG-IP ASM version 13.0.0 to 13.1.0.1, 12.1.0 to 12.1.3.5, 11.6.0 to 11.6.3.1, 11.5.1 to 11.5.6

Trust: 1.98

sources: NVD: CVE-2018-5541 // JVNDB: JVNDB-2018-008089 // BID: 104906 // VULHUB: VHN-135572

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.5.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.4	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.1.1	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.3	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.1	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.5	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.6.1	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.1.0	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.2	Trust: 0.6
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf3	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.3	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	12.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	12.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.3	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf8	scope:	eq	version:	11.6	Trust: 0.3
vendor:	f5	model:	big-ip asm hf7	scope:	eq	version:	11.6	Trust: 0.3
vendor:	f5	model:	big-ip asm hf6	scope:	eq	version:	11.6	Trust: 0.3
vendor:	f5	model:	big-ip asm hf3	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip asm hf6	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf11	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf10	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf5	scope:	eq	version:	11.6.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf4	scope:	eq	version:	11.6.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.5	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	11.5.6	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	13.1.0.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	12.1.3.6	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	11.6.3.2	Trust: 0.3

sources: BID: 104906 // JVNDB: JVNDB-2018-008089 // CNNVD: CNNVD-201807-1840 // NVD: CVE-2018-5541

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-5541
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-5541
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201807-1840
value:	HIGH
Trust: 0.6
VULHUB:	VHN-135572
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-5541
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-135572
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-5541
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-135572 // JVNDB: JVNDB-2018-008089 // CNNVD: CNNVD-201807-1840 // NVD: CVE-2018-5541

PROBLEMTYPE DATA

problemtype:

CWE-400

Trust: 1.9

sources: VULHUB: VHN-135572 // JVNDB: JVNDB-2018-008089 // NVD: CVE-2018-5541

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-1840

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201807-1840

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-008089

PATCH

title:	K12403422	url:	https://support.f5.com/csp/article/K12403422	Trust: 0.8
title:	F5 BIG-IP ASM Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82618	Trust: 0.6

sources: JVNDB: JVNDB-2018-008089 // CNNVD: CNNVD-201807-1840

EXTERNAL IDS

db:	NVD	id:	CVE-2018-5541	Trust: 2.8
db:	BID	id:	104906	Trust: 1.4
db:	JVNDB	id:	JVNDB-2018-008089	Trust: 0.8
db:	CNNVD	id:	CNNVD-201807-1840	Trust: 0.6
db:	VULHUB	id:	VHN-135572	Trust: 0.1

sources: VULHUB: VHN-135572 // BID: 104906 // JVNDB: JVNDB-2018-008089 // CNNVD: CNNVD-201807-1840 // NVD: CVE-2018-5541

REFERENCES

url:	https://support.f5.com/csp/article/k12403422	Trust: 2.0
url:	http://www.securityfocus.com/bid/104906	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5541	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-5541	Trust: 0.8
url:	http://www.f5.com/products/big-ip/	Trust: 0.3

sources: VULHUB: VHN-135572 // BID: 104906 // JVNDB: JVNDB-2018-008089 // CNNVD: CNNVD-201807-1840 // NVD: CVE-2018-5541

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 104906

SOURCES

db:	VULHUB	id:	VHN-135572
db:	BID	id:	104906
db:	JVNDB	id:	JVNDB-2018-008089
db:	CNNVD	id:	CNNVD-201807-1840
db:	NVD	id:	CVE-2018-5541

LAST UPDATE DATE

2024-11-23T22:26:15.582000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-135572	date:	2018-09-17T00:00:00
db:	BID	id:	104906	date:	2018-07-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-008089	date:	2018-10-09T00:00:00
db:	CNNVD	id:	CNNVD-201807-1840	date:	2018-07-26T00:00:00
db:	NVD	id:	CVE-2018-5541	date:	2024-11-21T04:09:02.050

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-135572	date:	2018-07-25T00:00:00
db:	BID	id:	104906	date:	2018-07-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-008089	date:	2018-10-09T00:00:00
db:	CNNVD	id:	CNNVD-201807-1840	date:	2018-07-26T00:00:00
db:	NVD	id:	CVE-2018-5541	date:	2018-07-25T14:29:00.477