CVE-2018-5509

7.5HIGH

Key Information:

Vendor
F5
Status
Big-ip (ltm, Aam, Afm, Apm, Asm, Link Controller, Pem, Websafe)
Vendor
CVE Published:
22 March 2018

Summary

On F5 BIG-IP versions 13.0.0 or 12.1.0 - 12.1.3.1, when a specifically configured virtual server receives traffic of an undisclosed nature, TMM will crash and take the configured failover action, potentially causing a denial of service. The configuration which exposes this issue is not common and in general does not work when enabled in previous versions of BIG-IP. Starting in 12.1.0, BIG-IP will crash if the configuration which exposes this issue is enabled and the virtual server receives non TCP traffic. With the fix of this issue, additional configuration validation logic has been added to prevent this configuration from being applied to a virtual server. There is only data plane exposure to this issue with a non-standard configuration. There is no control plane exposure.

Affected Version(s)

BIG-IP (LTM, AAM, AFM, APM, ASM, Link Controller, PEM, WebSafe) 13.0.0

BIG-IP (LTM, AAM, AFM, APM, ASM, Link Controller, PEM, WebSafe) 12.1.0 - 12.1.3.1

References

http://www.securitytracker.com/id/1040562
vdb-entryx_refsource_SECTRACK
https://support.f5.com/csp/article/K49440608
x_refsource_CONFIRM
http://www.securityfocus.com/bid/103504
vdb-entryx_refsource_BID

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.