Sign-up

ID

VAR-202102-0806


CVE

CVE-2021-22981


TITLE

BIG-IP  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-003790

DESCRIPTION

On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret (EMS) extension defined in RFC 7627. TLS connections that do not use EMS are vulnerable to man-in-the-middle attacks during renegotiation. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. BIG-IP Contains an unspecified vulnerability.Information may be obtained and information may be tampered with

Trust: 1.71

sources: NVD: CVE-2021-22981 // JVNDB: JVNDB-2021-003790 // VULHUB: VHN-381467

AFFECTED PRODUCTS

vendor:f5model:big-ip advanced web application firewallscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip domain name systemscope: - version: -

Trust: 0.8

vendor:f5model:big-ip ddos hybrid defenderscope: - version: -

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope: - version: -

Trust: 0.8

vendor:f5model:big-ip global traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip analyticsscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application acceleration managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced firewall managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced web application firewallscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-003790 // NVD: CVE-2021-22981

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-22981
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-22981
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202102-1054
value: MEDIUM

Trust: 0.6

VULHUB: VHN-381467
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-22981
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-381467
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-22981
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 2.5
version: 3.1

Trust: 1.0

NVD: CVE-2021-22981
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-381467 // JVNDB: JVNDB-2021-003790 // CNNVD: CNNVD-202102-1054 // NVD: CVE-2021-22981

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-003790 // NVD: CVE-2021-22981

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-1054

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202102-1054

PATCH

title:K09121542url:https://support.f5.com/csp/article/K09121542

Trust: 0.8

title:BIG-IP Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142348

Trust: 0.6

sources: JVNDB: JVNDB-2021-003790 // CNNVD: CNNVD-202102-1054

EXTERNAL IDS

db:NVDid:CVE-2021-22981

Trust: 2.5

db:JVNDBid:JVNDB-2021-003790

Trust: 0.8

db:AUSCERTid:ESB-2021.0499

Trust: 0.6

db:CNNVDid:CNNVD-202102-1054

Trust: 0.6

db:VULHUBid:VHN-381467

Trust: 0.1

sources: VULHUB: VHN-381467 // JVNDB: JVNDB-2021-003790 // CNNVD: CNNVD-202102-1054 // NVD: CVE-2021-22981

REFERENCES

url:https://support.f5.com/csp/article/k09121542

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-22981

Trust: 1.4

url:https://vigilance.fr/vulnerability/f5-big-ip-man-in-the-middle-via-tls-master-secret-negotiation-34557

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.0499

Trust: 0.6

sources: VULHUB: VHN-381467 // JVNDB: JVNDB-2021-003790 // CNNVD: CNNVD-202102-1054 // NVD: CVE-2021-22981

SOURCES

db:VULHUBid:VHN-381467
db:JVNDBid:JVNDB-2021-003790
db:CNNVDid:CNNVD-202102-1054
db:NVDid:CVE-2021-22981

LAST UPDATE DATE

2024-11-23T22:44:16.282000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-381467date:2021-02-19T00:00:00
db:JVNDBid:JVNDB-2021-003790date:2021-11-04T08:52:00
db:CNNVDid:CNNVD-202102-1054date:2021-02-22T00:00:00
db:NVDid:CVE-2021-22981date:2024-11-21T05:51:03.760

SOURCES RELEASE DATE

db:VULHUBid:VHN-381467date:2021-02-12T00:00:00
db:JVNDBid:JVNDB-2021-003790date:2021-11-04T00:00:00
db:CNNVDid:CNNVD-202102-1054date:2021-02-11T00:00:00
db:NVDid:CVE-2021-22981date:2021-02-12T18:15:12.797