SQL injection in F5 BIG-IQ Centralized Management PostgreSQL component

1) SQL injection

EUVDB-ID: #VU15796

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-16850

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of statements involving CREATE TRIGGER REFERENCING. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database when running the pg_upgrade utility on the database or during a pg_dump utility dump/restore cycle.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

BIG-IQ Centralized Management: 7.1.0 - 8.3.0

CPE2.3

• cpe:2.3:a:f5_networks:big-iq:7.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:f5_networks:big-iq:7.1.0.3:*:*:*:*:*:*:*
• cpe:2.3:a:f5_networks:big-iq:8.0.0:*:*:*:*:*:*:*

External links

https://my.f5.com/manage/s/article/K98201023

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.