#VU16775 Denial of service in BIG-IP APM - CVE-2018-15335

Cybersecurity Help s.r.o.

Published: 2019-01-02

Vulnerability identifier: #VU16775

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-15335

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
BIG-IP APM
Hardware solutions / Security hardware applicances

Vendor: F5 Networks

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to APM becomes a client application to an external OAuth authorization server when APM is deployed as an OAuth Resource Server. A remote attacker can cause APM not to display the intended message in the failure response when communication between the BIG-IP APM and the OAuth authorization server is lost.

Mitigation
Update to version 14.0.0.

Vulnerable software versions

BIG-IP APM: 13.0.0 - 13.1.1

External links
https://support.f5.com/csp/article/K27617652

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in F5 BIG-IP