Details of VAR-201903-0191

ID

VAR-201903-0191

CVE

CVE-2019-6598

TITLE

plural BIG-IP Vulnerability related to input validation in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-002603

DESCRIPTION

In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, malformed requests to the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, may lead to disruption of TMUI services. This attack requires an authenticated user with any role (other than the No Access role). The No Access user role cannot login and does not have the access level to perform the attack. plural BIG-IP The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. An input validation vulnerability exists in the traffic management user interface in F5 BIG-IP. A remote attacker can exploit this vulnerability to interrupt TMUI services by sending malformed requests. The following products and versions are affected: F5 BIG-IP Version 14.0.0 to Version 14.0.0.2, Version 13.0.0 to Version 13.1.0.7, Version 12.1.0 to Version 12.1.3.5, Version 11.6.1 to Version 11.6.3.2 , 11.5.1 to 11.5.8; Enterprise Manager 3.1.1

Trust: 1.71

sources: NVD: CVE-2019-6598 // JVNDB: JVNDB-2019-002603 // VULHUB: VHN-158033

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	enterprise manager	scope:	eq	version:	3.1.1	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	13.1.0.7	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	12.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	11.6.3.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip domain name system	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip edge gateway	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-002603 // NVD: CVE-2019-6598

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6598
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6598
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201903-422
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-158033
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6598
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-158033
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6598
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-158033 // JVNDB: JVNDB-2019-002603 // CNNVD: CNNVD-201903-422 // NVD: CVE-2019-6598

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-20	Trust: 0.9

sources: VULHUB: VHN-158033 // JVNDB: JVNDB-2019-002603 // NVD: CVE-2019-6598

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-422

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201903-422

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002603

PATCH

title:	K44603900	url:	https://support.f5.com/csp/article/K44603900	Trust: 0.8
title:	F5 BIG-IP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90038	Trust: 0.6

sources: JVNDB: JVNDB-2019-002603 // CNNVD: CNNVD-201903-422

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6598	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-002603	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-422	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.0768	Trust: 0.6
db:	VULHUB	id:	VHN-158033	Trust: 0.1

sources: VULHUB: VHN-158033 // JVNDB: JVNDB-2019-002603 // CNNVD: CNNVD-201903-422 // NVD: CVE-2019-6598

REFERENCES

url:	https://support.f5.com/csp/article/k44603900	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6598	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6598	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/76850	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-denial-of-service-via-tmui-28721	Trust: 0.6

sources: VULHUB: VHN-158033 // JVNDB: JVNDB-2019-002603 // CNNVD: CNNVD-201903-422 // NVD: CVE-2019-6598

SOURCES

db:	VULHUB	id:	VHN-158033
db:	JVNDB	id:	JVNDB-2019-002603
db:	CNNVD	id:	CNNVD-201903-422
db:	NVD	id:	CVE-2019-6598

LAST UPDATE DATE

2024-11-23T22:00:06.477000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158033	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-002603	date:	2019-04-11T00:00:00
db:	CNNVD	id:	CNNVD-201903-422	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-6598	date:	2024-11-21T04:46:46.630

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158033	date:	2019-03-13T00:00:00
db:	JVNDB	id:	JVNDB-2019-002603	date:	2019-04-11T00:00:00
db:	CNNVD	id:	CNNVD-201903-422	date:	2019-03-12T00:00:00
db:	NVD	id:	CVE-2019-6598	date:	2019-03-13T22:29:00.473