Details of VAR-201909-0068

ID

VAR-201909-0068

CVE

CVE-2019-6647

TITLE

plural BIG-IP Product resource exhaustion vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-009070

DESCRIPTION

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12.1.4.1, 11.5.2-11.6.4, when processing authentication attempts for control-plane users MCPD leaks a small amount of memory. Under rare conditions attackers with access to the management interface could eventually deplete memory on the system. plural BIG-IP The product contains a resource exhaustion vulnerability.Denial of service (DoS) May be in a state. F5 BIG-IP AFM, etc. are all products of F5 Company in the United States. F5 BIG-IP AFM is an advanced firewall product used to protect against DDos attacks. F5 BIG-IP Analytics is a suite of web application performance analysis software. F5 BIG-IP ASM, a web application firewall (WAF), has security vulnerabilities in several F5 products. An attacker can exploit this vulnerability to exhaust resources through continuous authentication and affect the operation of TMM and other components. The following products and versions are affected: F5 BIG-IP LTM Version 14.1.0, Version 14.0.0, Version 13.1.0 to Version 13.1.1, Version 12.1.0 to Version 12.1.4, Version 11.5.2 to Version 11.6.4 Version; BIG-IP AAM Version 14.1.0, Version 14.0.0, Version 13.1.0 to Version 13.1.1, Version 12.1.0 to Version 12.1.4, Version 11.5.2 to Version 11.6.4; BIG-IP AFM Version 14.1.0, Version 14.0.0, Version 13.1.0 to Version 13.1.1, Version 12.1.0 to Version 12.1.4, Version 11.5.2 to Version 11.6.4; BIG-IP Analytics Version 14.1.0, Version 14.0 .0, 13.1.0 to 13.1.1, 12.1.0 to 12.1.4, 11.5.2 to 11.6.4; BIG-IP APM 14.1.0, 14.0.0, 13.1. 0 to 13.1.1, 12.1.0 to 12.1.4, 11.5.2 to 11.6.4; BIG-IP ASM 14.1.0, 14.0.0, 13.1.0 to 13.1.1 Versions, 12.1.0 to 12.1.4, 11.5.2 to 11.6.4; BIG-IP DNS 14.1.0, 14.0.0, 13.1.0 to 13.1.1, 12.1.0 to version 12.1.4, version 11.5.2 to version 11.6.4; BIG-IP Edge Gateway version 14.1.0, version 14.0.0, version 13.1.0 to version 13.1.1, version 12.1.0 to 12.1

Trust: 1.71

sources: NVD: CVE-2019-6647 // JVNDB: JVNDB-2019-009070 // VULHUB: VHN-158082

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip edge gateway	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-009070 // NVD: CVE-2019-6647

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6647
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6647
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201908-643
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-158082
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6647
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-158082
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6647
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6647
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-158082 // JVNDB: JVNDB-2019-009070 // CNNVD: CNNVD-201908-643 // NVD: CVE-2019-6647

PROBLEMTYPE DATA

problemtype:	CWE-401	Trust: 1.1
problemtype:	CWE-400	Trust: 0.9

sources: VULHUB: VHN-158082 // JVNDB: JVNDB-2019-009070 // NVD: CVE-2019-6647

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-643

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201908-643

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-009070

PATCH

title:	K87920510	url:	https://support.f5.com/csp/article/K87920510	Trust: 0.8
title:	Multiple F5 Product security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96347	Trust: 0.6

sources: JVNDB: JVNDB-2019-009070 // CNNVD: CNNVD-201908-643

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6647	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-009070	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-643	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3057	Trust: 0.6
db:	VULHUB	id:	VHN-158082	Trust: 0.1

sources: VULHUB: VHN-158082 // JVNDB: JVNDB-2019-009070 // CNNVD: CNNVD-201908-643 // NVD: CVE-2019-6647

REFERENCES

url:	https://support.f5.com/csp/article/k87920510	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6647	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6647	Trust: 0.8
url:	https://vigilance.fr/vulnerability/f5-big-ip-memory-leak-via-mcpd-29994	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3057/	Trust: 0.6

sources: VULHUB: VHN-158082 // JVNDB: JVNDB-2019-009070 // CNNVD: CNNVD-201908-643 // NVD: CVE-2019-6647

SOURCES

db:	VULHUB	id:	VHN-158082
db:	JVNDB	id:	JVNDB-2019-009070
db:	CNNVD	id:	CNNVD-201908-643
db:	NVD	id:	CVE-2019-6647

LAST UPDATE DATE

2024-11-23T22:06:01.570000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158082	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-009070	date:	2019-09-11T00:00:00
db:	CNNVD	id:	CNNVD-201908-643	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-6647	date:	2024-11-21T04:46:52.637

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158082	date:	2019-09-04T00:00:00
db:	JVNDB	id:	JVNDB-2019-009070	date:	2019-09-11T00:00:00
db:	CNNVD	id:	CNNVD-201908-643	date:	2019-08-09T00:00:00
db:	NVD	id:	CVE-2019-6647	date:	2019-09-04T17:15:11.567