{"containers": {"cna": {"affected": [{"product": "BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe)", "vendor": "F5 Networks, Inc.", "versions": [{"status": "affected", "version": "13.0.0 - 13.1.0.3"}]}], "datePublic": "2018-03-21T00:00:00", "descriptions": [{"lang": "en", "value": "On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disrupt services on the BIG-IP system with maliciously crafted client certificate. This vulnerability affects virtual servers associated with Client SSL profile which enables the use of client certificate authentication. Client certificate authentication is not enabled by default in Client SSL profile. There is no control plane exposure."}], "problemTypes": [{"descriptions": [{"description": "DoS", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-23T09:57:01", "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://support.f5.com/csp/article/K43121447"}, {"name": "1040561", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1040561"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "f5sirt@f5.com", "DATE_PUBLIC": "2018-03-21T00:00:00", "ID": "CVE-2018-5502", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe)", "version": {"version_data": [{"version_value": "13.0.0 - 13.1.0.3"}]}}]}, "vendor_name": "F5 Networks, Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disrupt services on the BIG-IP system with maliciously crafted client certificate. This vulnerability affects virtual servers associated with Client SSL profile which enables the use of client certificate authentication. Client certificate authentication is not enabled by default in Client SSL profile. There is no control plane exposure."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "DoS"}]}]}, "references": {"reference_data": [{"name": "https://support.f5.com/csp/article/K43121447", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K43121447"}, {"name": "1040561", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1040561"}]}}}}, "cveMetadata": {"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "assignerShortName": "f5", "cveId": "CVE-2018-5502", "datePublished": "2018-03-21T00:00:00", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2018-03-23T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "894DA18C-0B22-45B1-8677-8979F1143216", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "445A66D4-37C1-42A8-A1CA-1D1E2C25E1E2", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE859987-9C3E-42A9-86E2-122B12090A15", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C8DAACD-71E0-4A83-A7ED-14BE366ACD1D", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA630386-C3DC-404E-9011-8DA3CD2F5865", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "6170B579-4770-4550-85B7-B784328DC2FF", "versionEndIncluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8766D2F-4D5D-4C78-B29D-1C5648B732D3", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "717B4A2F-C7E5-45FE-8CD5-8D9E0872B614", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "B23C430B-7477-4060-B68A-19B2B441F5EE", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0330565-B391-4121-81EB-601BAEA7BD50", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED65A801-F4BE-4067-903E-8997A13FFEF9", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*", "matchCriteriaId": "E231E105-5DBE-4FEC-8DB2-BEB91AC32F1D", "versionEndExcluding": "13.1.0.4", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_websafe:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "9E6556BF-A50D-4872-BF81-9397A7ECEC9C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disrupt services on the BIG-IP system with maliciously crafted client certificate. This vulnerability affects virtual servers associated with Client SSL profile which enables the use of client certificate authentication. Client certificate authentication is not enabled by default in Client SSL profile. There is no control plane exposure."}, {"lang": "es", "value": "Desde la versi\u00f3n 13.0.0 hasta la 13.1.0.3 de F5 BIG-IP, los atacantes podr\u00edan ser capaces de interrumpir servicios en el sistema BIG-IP con un certificado de cliente maliciosamente manipulado. Esta vulnerabilidad afecta a los servidores virtuales asociados con el perfil Client SSL, que habilita el uso de autenticaci\u00f3n de certificados de cliente. Este tipo de autenticaci\u00f3n no est\u00e1 habilitado por defecto en el perfil Client SSL. No hay ninguna exposici\u00f3n del plano de control."}], "id": "CVE-2018-5502", "lastModified": "2018-04-20T17:04:20.017", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-22T18:29:00.510", "references": [{"source": "f5sirt@f5.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1040561"}, {"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://support.f5.com/csp/article/K43121447"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}