Denial of Service Vulnerability in F5 BIG-IP Products
CVE-2018-15319

7.5HIGH

Key Information:

Vendor: F5
Status: Big-ip (ltm, Aam, Afm, Analytics, Apm, Asm, Dns, Edge Gateway, Fps, Gtm, Link Controller, Pem, Webaccelerator)
Vendor: CVE Published:; 31 October 2018

Summary

On affected versions of F5 BIG-IP, specifically those with the non-default 'normalize URI' configuration in iRules or BIG-IP LTM policies, maliciously crafted HTTP requests directed at virtual servers can exploit this vulnerability, leading to unintended restarts of the Traffic Management Microkernel (TMM). This behavior can disrupt services and impact availability, making it critical for users to apply appropriate mitigations.

Affected Version(s)

BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, 12.1.0-12.1.3.6

References

http://www.securityfocus.com/bid/107052

vdb-entryx_refsource_BID

https://support.f5.com/csp/article/K64208870

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 31, 2018
Vulnerability Reserved
Aug 14, 2018