CVE-2015-8022 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

The Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, and Link Controller 11.x before 11.2.1 HF16, 11.3.x, 11.4.x before 11.4.1 HF10, 11.5.x before 11.5.4, and 11.6.x before 11.6.1; BIG-IP AAM 11.4.x before 11.4.1 HF10, 11.5.x before 11.5.4, and 11.6.x before 11.6.1; BIG-IP AFM and PEM 11.3.x, 11.4.x before 11.4.1 HF10, 11.5.x before 11.5.4, and 11.6.x before 11.6.1; BIG-IP Edge Gateway, WebAccelerator, and WOM 11.x before 11.2.1 HF16 and 11.3.0; and BIG-IP PSM 11.x before 11.2.1 HF16, 11.3.x, and 11.4.x before 11.4.1 HF10 allows remote authenticated users with certain permissions to gain privileges by leveraging an Access Policy Manager customization configuration section that allows file uploads.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
F5	Big-Ip Global Traffic Manager	11.0.0
F5	Big-Ip Local Traffic Manager	11.0.0
F5	Big-Ip Webaccelerator	11.0.0
F5	Big-Ip Policy Enforcement Manager	11.3.0
F5	Big-Ip Advanced Firewall Manager	11.3.0
F5	Big-Ip Access Policy Manager	11.0.0
F5	Big-Ip Analytics	11.0.0
F5	Big-Ip Wan Optimization Manager	11.0.0
F5	Big-Ip Link Controller	11.0.0
F5	Big-Ip Edge Gateway	11.0.0
F5	Big-Ip Application Security Manager	11.0.0
F5	Big-Ip Application Acceleration Manager	11.4.0
F5	Big-Ip Websafe	11.6.0
F5	Big-Ip Protocol Security Module	11.0.0

Related Weaknesses (CWE)

CWE-264

References

http://www.securitytracker.com/id/1036627Third Party AdvisoryVDB Entry
https://support.f5.com/kb/en-us/solutions/public/k/12/sol12401251.htmlVendor Advisory
http://www.securitytracker.com/id/1036627Third Party AdvisoryVDB Entry
https://support.f5.com/kb/en-us/solutions/public/k/12/sol12401251.htmlVendor Advisory

FAQ

What is CVE-2015-8022?

CVE-2015-8022 is a vulnerability with a CVSS score of 7.5 (HIGH). The Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, and Link Controller 11.x before 11.2.1 HF16, 11.3.x, 11.4.x before 11.4.1 HF10, 11.5.x before 11.5.4, and 11.6.x before 11.6.1; BI...

How severe is CVE-2015-8022?

CVE-2015-8022 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-8022?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Global Traffic Manager, F5 Big-Ip Local Traffic Manager, F5 Big-Ip Webaccelerator, F5 Big-Ip Policy Enforcement Manager, F5 Big-Ip Advanced Firewall Manager.