Sign-up

ID

VAR-201907-0143


CVE

CVE-2019-6637


TITLE

BIG-IP Vulnerable to resource exhaustion

Trust: 0.8

sources: JVNDB: JVNDB-2019-006207

DESCRIPTION

On BIG-IP (ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated user with role of "Guest" or greater privilege. Note: "No Access" cannot login so technically it's a role but a user with this access role cannot perform the attack. BIG-IP (ASM) Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP ASM is prone to a denial-of-service vulnerability. F5 BIG-IP Application Security Manager (ASM) is a Web Application Firewall (WAF) of F5 Corporation in the United States, which provides secure remote access, protects email, simplifies Web access control, and enhances network and application performance. An attacker can exploit this vulnerability to consume a large amount of memory and terminate arbitrary processes. The following products and versions are affected: F5 BIG-IP ASM version 14.1.0 to 14.1.0.5, 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4 Version

Trust: 1.98

sources: NVD: CVE-2019-6637 // JVNDB: JVNDB-2019-006207 // BID: 109091 // VULHUB: VHN-158072

AFFECTED PRODUCTS

vendor:f5model:big-ip application security managerscope:ltversion:14.0.0.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:14.1.0.6

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:13.1.1.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:12.1.4.1

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:12.1.0 to 12.1.4

Trust: 0.8

vendor:f5model:big-ip application security managerscope:eqversion:13.0.0 to 13.1.1.4

Trust: 0.8

vendor:f5model:big-ip application security managerscope:eqversion:14.0.0 to 14.0.0.4

Trust: 0.8

vendor:f5model:big-ip application security managerscope:eqversion:14.1.0 to 14.1.0.5

Trust: 0.8

vendor:f5model:big-ip asmscope:eqversion:14.1

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:14.0

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:13.1.1

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:13.1

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:13.0.1

Trust: 0.3

vendor:f5model:big-ip asm hf3scope:eqversion:13.0

Trust: 0.3

vendor:f5model:big-ip asm hf2scope:eqversion:13.0

Trust: 0.3

vendor:f5model:big-ip asm hf1scope:eqversion:13.0

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:13.0

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:12.1.4

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:12.1.3

Trust: 0.3

vendor:f5model:big-ip asm hf2scope:eqversion:12.1.2

Trust: 0.3

vendor:f5model:big-ip asm hf1scope:eqversion:12.1.2

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:12.1.2

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:13.1.0.8

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:13.1.0.6

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:13.1.0.5

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:13.1.0.4

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:13.1.0.2

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:12.1.3.7

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:12.1.3.6

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:12.1.3.4

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:12.1.3.2

Trust: 0.3

vendor:f5model:big-ip asmscope:neversion:14.1.0.6

Trust: 0.3

vendor:f5model:big-ip asmscope:neversion:14.0.0.5

Trust: 0.3

vendor:f5model:big-ip asmscope:neversion:13.1.1.5

Trust: 0.3

vendor:f5model:big-ip asmscope:neversion:12.1.4.1

Trust: 0.3

sources: BID: 109091 // JVNDB: JVNDB-2019-006207 // NVD: CVE-2019-6637

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6637
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-6637
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201907-050
value: MEDIUM

Trust: 0.6

VULHUB: VHN-158072
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-6637
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-158072
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-6637
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-158072 // JVNDB: JVNDB-2019-006207 // CNNVD: CNNVD-201907-050 // NVD: CVE-2019-6637

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-400

Trust: 0.9

sources: VULHUB: VHN-158072 // JVNDB: JVNDB-2019-006207 // NVD: CVE-2019-6637

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-050

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201907-050

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-006207

PATCH
title:K29149494url:https://support.f5.com/csp/article/K29149494
Trust: 0.8
title:F5 BIG-IP Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94286
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-006207 // 
            
            
            
            CNNVD: CNNVD-201907-050

EXTERNAL IDS
db:NVDid:CVE-2019-6637
Trust: 2.8
db:BIDid:109091
Trust: 2.0
db:JVNDBid:JVNDB-2019-006207
Trust: 0.8
db:CNNVDid:CNNVD-201907-050
Trust: 0.7
db:AUSCERTid:ESB-2019.2408
Trust: 0.6
db:VULHUBid:VHN-158072
Trust: 0.1
sources:
            
            
            VULHUB: VHN-158072 // 
            
            
            
            BID: 109091 // 
            
            
            
            JVNDB: JVNDB-2019-006207 // 
            
            
            
            CNNVD: CNNVD-201907-050 // 
            
            
            
            NVD: CVE-2019-6637

REFERENCES
url:https://support.f5.com/csp/article/k29149494
Trust: 2.0
url:http://www.securityfocus.com/bid/109091
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-6637
Trust: 1.4
url:http://www.f5.com/products/big-ip/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6637
Trust: 0.8
url:https://support.f5.com/csp/article/k44885536
Trust: 0.6
url:https://support.f5.com/csp/article/k20445457
Trust: 0.6
url:https://support.f5.com/csp/article/k67825238
Trust: 0.6
url:https://support.f5.com/csp/article/k79902360
Trust: 0.6
url:https://support.f5.com/csp/article/k20541896
Trust: 0.6
url:https://support.f5.com/csp/article/k22384173
Trust: 0.6
url:https://support.f5.com/csp/article/k68151373
Trust: 0.6
url:https://support.f5.com/csp/article/k00432398
Trust: 0.6
url:https://support.f5.com/csp/article/k64855220
Trust: 0.6
url:https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-29665
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.2408/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-158072 // 
            
            
            
            BID: 109091 // 
            
            
            
            JVNDB: JVNDB-2019-006207 // 
            
            
            
            CNNVD: CNNVD-201907-050 // 
            
            
            
            NVD: CVE-2019-6637

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 109091

SOURCES
db:VULHUBid:VHN-158072
db:BIDid:109091
db:JVNDBid:JVNDB-2019-006207
db:CNNVDid:CNNVD-201907-050
db:NVDid:CVE-2019-6637

LAST UPDATE DATE
2024-11-23T21:38:13.098000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-158072date:2020-08-24T00:00:00
db:BIDid:109091date:2019-07-02T00:00:00
db:JVNDBid:JVNDB-2019-006207date:2019-07-12T00:00:00
db:CNNVDid:CNNVD-201907-050date:2020-08-25T00:00:00
db:NVDid:CVE-2019-6637date:2024-11-21T04:46:51.433

SOURCES RELEASE DATE
db:VULHUBid:VHN-158072date:2019-07-03T00:00:00
db:BIDid:109091date:2019-07-02T00:00:00
db:JVNDBid:JVNDB-2019-006207date:2019-07-12T00:00:00
db:CNNVDid:CNNVD-201907-050date:2019-07-02T00:00:00
db:NVDid:CVE-2019-6637date:2019-07-03T19:15:13.220