Information disclosure in F5 BIG-IP APM



Published: 2021-03-10 | Updated: 2021-03-22
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-23002
CWE-ID CWE-200
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe 		BIG-IP APM
Hardware solutions / Security hardware applicances

APM Clients
Hardware solutions / Security hardware applicances

Vendor F5 Networks

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU51601

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-23002

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. A remote administrator on the local network can view the session ID.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

BIG-IP APM: 11.6.1 - 16.0.1

APM Clients: 7.1.5 - 7.2.1

External links

http://support.f5.com/csp/article/K71891773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###