CVE-2014-2928 — HIGH (7.1) — White Hats Nepal

Vulnerability Description

The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, BIG-IP AAM 11.4.0 through 11.5.1, BIG-IP AFM and PEM 11.3.0 through 11.5.1, BIG-IP Analytics 11.0.0 through 11.5.1, BIG-IP Edge Gateway, WebAccelerator, WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, Enterprise Manager 2.1.0 through 2.3.0 and 3.0.0 through 3.1.1, and BIG-IQ Cloud, Device, and Security 4.0.0 through 4.3.0 allows remote administrators to execute arbitrary commands via shell metacharacters in the hostname element in a SOAP request.

CVSS Score

7.1

HIGH

AV:N/AC:H/Au:S/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
F5	Big-Ip Webaccelerator	9.4.0
F5	Big-Ip Local Traffic Manager	10.0.0
F5	Big-Ip Protocol Security Module	9.4.5
F5	Big-Ip Link Controller	10.0.0
F5	Big-Ip Application Security Manager	10.0.0
F5	Big-Ip Global Traffic Manager	10.0.0
F5	Big-Ip Wan Optimization Manager	10.0.0
F5	Big-Ip Access Policy Manager	10.1.0
F5	Big-Ip Edge Gateway	10.1.0

References

FAQ

What is CVE-2014-2928?

CVE-2014-2928 is a vulnerability with a CVSS score of 7.1 (HIGH). The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, BIG-IP AAM 11.4.0 through 11.5.1, BIG-IP AFM and PEM 11.3.0 through 11.5.1, ...

How severe is CVE-2014-2928?

CVE-2014-2928 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-2928?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Webaccelerator, F5 Big-Ip Local Traffic Manager, F5 Big-Ip Protocol Security Module, F5 Big-Ip Link Controller, F5 Big-Ip Application Security Manager.