Details of VAR-202109-0777

ID

VAR-202109-0777

CVE

CVE-2021-23028

TITLE

F5 Advanced Web Application Firewall and BIG-IP ASM Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-011919

DESCRIPTION

On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, and 13.1.x before 13.1.4, when JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in the F5 BIG-IP. The vulnerability stems from the fact that an attacker can cause a fatal error through the JSON content configuration file of F5 BIG-IP WAF/ASM to trigger a denial of service

Trust: 1.8

sources: NVD: CVE-2021-23028 // JVNDB: JVNDB-2021-011919 // VULHUB: VHN-381514 // VULMON: CVE-2021-23028

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	13.1.3.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lte	version:	13.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.3.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	14.1.3.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lt	version:	15.1.3.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lte	version:	14.1.4.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	14.1.4.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.1..3.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.1.3.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced web application firewall	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-011919 // NVD: CVE-2021-23028

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-23028
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-23028
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202108-1979
value:	HIGH
Trust: 0.6
VULHUB:	VHN-381514
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-23028
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-23028
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-381514
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-23028
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-23028
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-381514 // VULMON: CVE-2021-23028 // JVNDB: JVNDB-2021-011919 // CNNVD: CNNVD-202108-1979 // NVD: CVE-2021-23028

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.1
problemtype:	Inappropriate input confirmation (CWE-20) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-381514 // JVNDB: JVNDB-2021-011919 // NVD: CVE-2021-23028

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-1979

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202108-1979

PATCH

title:

K00602225

url:

https://support.f5.com/csp/article/K00602225

Trust: 0.8

sources: JVNDB: JVNDB-2021-011919

EXTERNAL IDS

db:	NVD	id:	CVE-2021-23028	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-011919	Trust: 0.8
db:	CNNVD	id:	CNNVD-202108-1979	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.2862	Trust: 0.6
db:	VULHUB	id:	VHN-381514	Trust: 0.1
db:	VULMON	id:	CVE-2021-23028	Trust: 0.1

sources: VULHUB: VHN-381514 // VULMON: CVE-2021-23028 // JVNDB: JVNDB-2021-011919 // CNNVD: CNNVD-202108-1979 // NVD: CVE-2021-23028

REFERENCES

url:	https://support.f5.com/csp/article/k00602225	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-23028	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2021.2862	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-waf-asm-denial-of-service-via-json-content-profiles-36192	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-381514 // VULMON: CVE-2021-23028 // JVNDB: JVNDB-2021-011919 // CNNVD: CNNVD-202108-1979 // NVD: CVE-2021-23028

SOURCES

db:	VULHUB	id:	VHN-381514
db:	VULMON	id:	CVE-2021-23028
db:	JVNDB	id:	JVNDB-2021-011919
db:	CNNVD	id:	CNNVD-202108-1979
db:	NVD	id:	CVE-2021-23028

LAST UPDATE DATE

2024-08-14T14:31:38.072000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-381514	date:	2021-09-24T00:00:00
db:	VULMON	id:	CVE-2021-23028	date:	2021-09-24T00:00:00
db:	JVNDB	id:	JVNDB-2021-011919	date:	2022-08-16T07:18:00
db:	CNNVD	id:	CNNVD-202108-1979	date:	2021-09-26T00:00:00
db:	NVD	id:	CVE-2021-23028	date:	2021-09-24T19:19:10.647

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-381514	date:	2021-09-14T00:00:00
db:	VULMON	id:	CVE-2021-23028	date:	2021-09-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-011919	date:	2022-08-16T00:00:00
db:	CNNVD	id:	CNNVD-202108-1979	date:	2021-08-24T00:00:00
db:	NVD	id:	CVE-2021-23028	date:	2021-09-14T21:15:07.663