SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   F5 BIG-IP Vendors:   F5 Networks
F5 BIG-IP AFM Input Validation Flaw in Configuration Utility Lets Remote Authenticated Users Inject SQL Commands
SecurityTracker Alert ID:  1040041
SecurityTracker URL:  http://securitytracker.com/id/1040041
CVE Reference:   CVE-2017-0304   (Links to External Site)
Date:  Dec 21 2017
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): AFM 12.x, 13.x
Description:   A vulnerability was reported in F5 BIG-IP AFM. A remote authenticated user can inject SQL commands.

The Configuration utility does not properly validate user-supplied input. A remote authenticated user can supply a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited to modify a copy of the configured firewall rules.

The live firewall rules used in the Traffic Management Microkernel (TMM) are not affected.

Traffic processing is not affected.

Systems that are not or have never been provisioned are not affected.

The vendor has assigned ID 639729 to this vulnerability.

Impact:   A remote authenticated user can execute SQL commands on the underlying database and modify a copy of the configured firewall rules.
Solution:   The vendor has issued a fix (AFM 12.1.3, 13.1.0, 13.0.0 HF1).

The vendor advisory is available at:

https://support.f5.com/csp/article/K39428424

Vendor URL:  support.f5.com/csp/article/K39428424 (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC