CVE-2014-9326 — MEDIUM (4.3)

Vulnerability Description

The automatic signature update functionality in the (1) Phone Home feature in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, GTM, and Link Controller 11.5.0 through 11.6.0, ASM 10.0.0 through 11.6.0, and PEM 11.3.0 through 11.6.0 and the (2) Call Home feature in ASM 10.0.0 through 11.6.0 and PEM 11.3.0 through 11.6.0 does not properly validate server SSL certificates, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

CVSS Score

4.3

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
F5	Big-Ip Application Acceleration Manager	11.5.0
F5	Big-Ip Policy Enforcement Manager	11.3.0
F5	Big-Ip Policy Enforcement Manager11.5.1	All versions
F5	Big-Ip Global Traffic Manager	11.5.0
F5	Big-Ip Advanced Firewall Manager	11.5.0
F5	Big-Ip Local Traffic Manager	11.5.0
F5	Big-Ip Application Security Manager	11.5.0
F5	Big-Ip Link Controller	11.5.0
F5	Big-Ip Access Policy Manager	11.5.0
F5	Big-Ip Analytics	11.5.0

References

FAQ

What is CVE-2014-9326?

CVE-2014-9326 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The automatic signature update functionality in the (1) Phone Home feature in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, GTM, and Link Controller 11.5.0 through 11.6.0, ASM 10.0.0 through 11.6.0, and PE...

How severe is CVE-2014-9326?

CVE-2014-9326 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-9326?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Application Acceleration Manager, F5 Big-Ip Policy Enforcement Manager, F5 Big-Ip Policy Enforcement Manager11.5.1, F5 Big-Ip Global Traffic Manager, F5 Big-Ip Advanced Firewall Manager.