Vulnerability Description
Multiple XML External Entity (XXE) vulnerabilities in the Configuration utility in F5 BIG-IP LTM, ASM, GTM, and Link Controller 11.0 through 11.6.0 and 10.0.0 through 10.2.4, AAM 11.4.0 through 11.6.0, ARM 11.3.0 through 11.6.0, Analytics 11.0.0 through 11.6.0, APM and Edge Gateway 11.0.0 through 11.6.0 and 10.1.0 through 10.2.4, PEM 11.3.0 through 11.6.0, PSM 11.0.0 through 11.4.1 and 10.0.0 through 10.2.4, and WOM 11.0.0 through 11.3.0 and 10.0.0 through 10.2.4 and Enterprise Manager 3.0.0 through 3.1.1 and 2.1.0 through 2.3.0 allow remote authenticated users to read arbitrary files and cause a denial of service via a crafted request, as demonstrated using (1) viewList or (2) deal elements.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F5 | Big-Ip Protocol Security Module | 10.0.0 |
| F5 | Big-Ip Global Traffic Manager | 10.0.0 |
| F5 | Big-Ip Policy Enforcement Manager | 11.3.0 |
| F5 | Big-Ip Wan Optimization Manager | 10.0.0 |
| F5 | Big-Ip Application Acceleration Manager | 11.4.0 |
| F5 | Big-Ip Application Security Manager | 10.0.0 |
| F5 | Big-Ip Advanced Firewall Manager | 11.3.0 |
| F5 | Big-Ip Webaccelerator | 10.0.0 |
| F5 | Big-Ip Analytics | 11.0.0 |
| F5 | Big-Ip Link Controller | 10.0.0 |
| F5 | Enterprise Manager | 3.0.0 |
| F5 | Big-Ip Local Traffic Manager | 10.0.0 |
| F5 | Big-Ip Edge Gateway | 10.1.0 |
References
- http://packetstormsecurity.com/files/128915/F5-Big-IP-11.3.0.39.0-XML-External-EExploit
- http://seclists.org/fulldisclosure/2014/Oct/128
- http://seclists.org/fulldisclosure/2014/Oct/129
- http://seclists.org/fulldisclosure/2014/Oct/130
- http://www.securityfocus.com/bid/70834Exploit
- http://www.securitytracker.com/id/1031144
- http://www.securitytracker.com/id/1031145
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98402
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98403
- https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15605.htmlVendor Advisory
- https://www.portcullis-security.com/security-research-and-downloads/security-adv
- https://www.portcullis-security.com/security-research-and-downloads/security-adv
- http://packetstormsecurity.com/files/128915/F5-Big-IP-11.3.0.39.0-XML-External-EExploit
- http://seclists.org/fulldisclosure/2014/Oct/128
- http://seclists.org/fulldisclosure/2014/Oct/129
FAQ
What is CVE-2014-6032?
CVE-2014-6032 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Multiple XML External Entity (XXE) vulnerabilities in the Configuration utility in F5 BIG-IP LTM, ASM, GTM, and Link Controller 11.0 through 11.6.0 and 10.0.0 through 10.2.4, AAM 11.4.0 through 11.6.0...
How severe is CVE-2014-6032?
CVE-2014-6032 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-6032?
Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Protocol Security Module, F5 Big-Ip Global Traffic Manager, F5 Big-Ip Policy Enforcement Manager, F5 Big-Ip Wan Optimization Manager, F5 Big-Ip Application Acceleration Manager.