Vulnerability Description
BIG-IP configurations using Active Directory, LDAP, or Client Certificate LDAP for management authentication with multiple servers are exposed to a vulnerability which allows an authentication bypass. This can result in a complete compromise of the system. This issue only impacts specific engineering hotfixes using the aforementioned authentication configuration. NOTE: This vulnerability does not affect any of the BIG-IP major, minor or maintenance releases you obtained from downloads.f5.com. The affected Engineering Hotfix builds are as follows: Hotfix-BIGIP-14.1.0.3.0.79.6-ENG.iso, Hotfix-BIGIP-14.1.0.3.0.97.6-ENG.iso, Hotfix-BIGIP-14.1.0.3.0.99.6-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.15.5-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.36.5-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.40.5-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.11.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.14.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.68.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.70.9-ENG.iso, Hotfix-BIGIP-14.1.2.0.11.37-ENG.iso, Hotfix-BIGIP-14.1.2.0.18.37-ENG.iso, Hotfix-BIGIP-14.1.2.0.32.37-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.46.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.14.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.16.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.34.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.97.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.99.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.105.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.111.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.115.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.122.4-ENG.iso, Hotfix-BIGIP-15.0.1.0.33.11-ENG.iso, Hotfix-BIGIP-15.0.1.0.48.11-ENG.iso
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F5 | Big-Ip Link Controller | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
| F5 | Big-Ip Access Policy Manager | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
| F5 | Big-Ip Advanced Firewall Manager | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
| F5 | Big-Ip Application Acceleration Manager | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
| F5 | Big-Ip Application Security Manager | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
| F5 | Big-Ip Fraud Protection Service | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
| F5 | Big-Ip Local Traffic Manager | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
| F5 | Big-Ip Policy Enforcement Manager | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
| F5 | Big-Ip Analytics | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
| F5 | Big-Ip Domain Name System | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
| F5 | Big-Ip Global Traffic Manager | >= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix |
Related Weaknesses (CWE)
References
- https://support.f5.com/csp/article/K55655944Vendor Advisory
- https://support.f5.com/csp/article/K55655944?utm_source=f5support&%3Butm_medi
- https://support.f5.com/csp/article/K55655944Vendor Advisory
- https://support.f5.com/csp/article/K55655944?utm_source=f5support&%3Butm_medi
FAQ
What is CVE-2019-6675?
CVE-2019-6675 is a vulnerability with a CVSS score of 9.8 (CRITICAL). BIG-IP configurations using Active Directory, LDAP, or Client Certificate LDAP for management authentication with multiple servers are exposed to a vulnerability which allows an authentication bypass....
How severe is CVE-2019-6675?
CVE-2019-6675 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-6675?
Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Link Controller, F5 Big-Ip Access Policy Manager, F5 Big-Ip Advanced Firewall Manager, F5 Big-Ip Application Acceleration Manager, F5 Big-Ip Application Security Manager.