Details of VAR-201911-0284

ID

VAR-201911-0284

CVE

CVE-2019-6660

TITLE

BIG-IP Vulnerable to resource exhaustion

Trust: 0.8

sources: JVNDB: JVNDB-2019-012041

DESCRIPTION

On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources which may lead to a denial of service. BIG-IP Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. Traffic Management Microkernel (TMM) is one of the traffic management components. The TMM in F5 BIG-IP versions 14.1.0 to 14.1.2, 14.0.0 to 14.0.1, and 13.1.0 to 13.1.1 has a security vulnerability

Trust: 1.8

sources: NVD: CVE-2019-6660 // JVNDB: JVNDB-2019-012041 // VULHUB: VHN-158095 // VULMON: CVE-2019-6660

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip domain name system	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip edge gateway	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	13.1.0	Trust: 0.6
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.1.0.5	Trust: 0.6
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.1.0.2	Trust: 0.6
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.1.0.1	Trust: 0.6
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	13.1.0.2	Trust: 0.6
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	13.1.0.1	Trust: 0.6
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.1.0	Trust: 0.6
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.1.0.6	Trust: 0.6
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.1.2	Trust: 0.6
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	13.1.0.0	Trust: 0.6

sources: JVNDB: JVNDB-2019-012041 // CNNVD: CNNVD-201911-1012 // NVD: CVE-2019-6660

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6660
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-6660
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201911-1012
value:	HIGH
Trust: 0.6
VULHUB:	VHN-158095
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2019-6660
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6660
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-158095
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6660
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6660
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-158095 // VULMON: CVE-2019-6660 // JVNDB: JVNDB-2019-012041 // CNNVD: CNNVD-201911-1012 // NVD: CVE-2019-6660

PROBLEMTYPE DATA

problemtype:

CWE-400

Trust: 1.9

sources: VULHUB: VHN-158095 // JVNDB: JVNDB-2019-012041 // NVD: CVE-2019-6660

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201911-1012

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201911-1012

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-012041

PATCH

title:	K23860356	url:	https://support.f5.com/csp/article/K23860356	Trust: 0.8
title:	F5 BIG-IP Traffic Management Microkernel Remediation of resource management error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108200	Trust: 0.6

sources: JVNDB: JVNDB-2019-012041 // CNNVD: CNNVD-201911-1012

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6660	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-012041	Trust: 0.8
db:	CNNVD	id:	CNNVD-201911-1012	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.4305.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.4305	Trust: 0.6
db:	VULHUB	id:	VHN-158095	Trust: 0.1
db:	VULMON	id:	CVE-2019-6660	Trust: 0.1

sources: VULHUB: VHN-158095 // VULMON: CVE-2019-6660 // JVNDB: JVNDB-2019-012041 // CNNVD: CNNVD-201911-1012 // NVD: CVE-2019-6660

REFERENCES

url:	https://support.f5.com/csp/article/k23860356	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6660	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6660	Trust: 0.8
url:	https://vigilance.fr/vulnerability/f5-big-ip-infinite-loop-via-tmm-http-request-30876	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4305/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4305.2/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/400.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/171910	Trust: 0.1

sources: VULHUB: VHN-158095 // VULMON: CVE-2019-6660 // JVNDB: JVNDB-2019-012041 // CNNVD: CNNVD-201911-1012 // NVD: CVE-2019-6660

SOURCES

db:	VULHUB	id:	VHN-158095
db:	VULMON	id:	CVE-2019-6660
db:	JVNDB	id:	JVNDB-2019-012041
db:	CNNVD	id:	CNNVD-201911-1012
db:	NVD	id:	CVE-2019-6660

LAST UPDATE DATE

2024-11-23T22:37:36.840000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158095	date:	2019-11-19T00:00:00
db:	VULMON	id:	CVE-2019-6660	date:	2019-11-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-012041	date:	2019-11-25T00:00:00
db:	CNNVD	id:	CNNVD-201911-1012	date:	2019-11-25T00:00:00
db:	NVD	id:	CVE-2019-6660	date:	2024-11-21T04:46:54.230

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158095	date:	2019-11-15T00:00:00
db:	VULMON	id:	CVE-2019-6660	date:	2019-11-15T00:00:00
db:	JVNDB	id:	JVNDB-2019-012041	date:	2019-11-25T00:00:00
db:	CNNVD	id:	CNNVD-201911-1012	date:	2019-11-15T00:00:00
db:	NVD	id:	CVE-2019-6660	date:	2019-11-15T21:15:11.293