Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2014-6032

Multiple XML External Entity (XXE) vulnerabilities in the Configuration utility in F5 BIG-IP LTM, ASM, GTM, and Link Controller 11.0 through 11.6.0 and 10.0.0 through 10.2.4, AAM 11.4.0 through 11.6.0, ARM 11.3.0 through 11.6.0, Analytics 11.0.0 through 11.6.0, APM and Edge Gateway 11.0.0 through 11.6.0 and 10.1.0 through 10.2.4, PEM 11.3.0 through 11.6.0, PSM 11.0.0 through 11.4.1 and 10.0.0 through 10.2.4, and WOM 11.0.0 through 11.3.0 and 10.0.0 through 10.2.4 and Enterprise Manager 3.0.0 through 3.1.1 and 2.1.0 through 2.3.0 allow remote authenticated users to read arbitrary files and cause a denial of service via a crafted request, as demonstrated using (1) viewList or (2) deal elements.

Published

2014-11-01T23:55:09.587

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 5.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

4.9

Weaknesses

Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	f5	big-ip_protocol_security_module	10.0.0	Yes
Application	f5	big-ip_protocol_security_module	10.1.0	Yes
Application	f5	big-ip_protocol_security_module	10.2.0	Yes
Application	f5	big-ip_protocol_security_module	10.2.1	Yes
Application	f5	big-ip_protocol_security_module	10.2.2	Yes
Application	f5	big-ip_protocol_security_module	10.2.3	Yes
Application	f5	big-ip_protocol_security_module	10.2.4	Yes
Application	f5	big-ip_protocol_security_module	11.0.0	Yes
Application	f5	big-ip_protocol_security_module	11.1.0	Yes
Application	f5	big-ip_protocol_security_module	11.2.0	Yes
Application	f5	big-ip_protocol_security_module	11.2.1	Yes
Application	f5	big-ip_protocol_security_module	11.3.0	Yes
Application	f5	big-ip_protocol_security_module	11.4.0	Yes
Application	f5	big-ip_protocol_security_module	11.4.1	Yes
Application	f5	big-ip_global_traffic_manager	10.0.0	Yes
Application	f5	big-ip_global_traffic_manager	10.1.0	Yes
Application	f5	big-ip_global_traffic_manager	10.2.0	Yes
Application	f5	big-ip_global_traffic_manager	10.2.1	Yes
Application	f5	big-ip_global_traffic_manager	10.2.2	Yes
Application	f5	big-ip_global_traffic_manager	10.2.3	Yes
Application	f5	big-ip_global_traffic_manager	10.2.4	Yes
Application	f5	big-ip_global_traffic_manager	11.0.0	Yes
Application	f5	big-ip_global_traffic_manager	11.1.0	Yes
Application	f5	big-ip_global_traffic_manager	11.2.0	Yes
Application	f5	big-ip_global_traffic_manager	11.2.1	Yes
Application	f5	big-ip_global_traffic_manager	11.3.0	Yes
Application	f5	big-ip_global_traffic_manager	11.4.0	Yes
Application	f5	big-ip_global_traffic_manager	11.4.1	Yes
Application	f5	big-ip_global_traffic_manager	11.5.0	Yes
Application	f5	big-ip_global_traffic_manager	11.5.1	Yes
Application	f5	big-ip_global_traffic_manager	11.6.0	Yes
Application	f5	big-ip_policy_enforcement_manager	11.3.0	Yes
Application	f5	big-ip_policy_enforcement_manager	11.4.0	Yes
Application	f5	big-ip_policy_enforcement_manager	11.4.1	Yes
Application	f5	big-ip_policy_enforcement_manager	11.5.0	Yes
Application	f5	big-ip_policy_enforcement_manager	11.5.1	Yes
Application	f5	big-ip_policy_enforcement_manager	11.6.0	Yes
Application	f5	big-ip_wan_optimization_manager	10.0.0	Yes
Application	f5	big-ip_wan_optimization_manager	10.1.0	Yes
Application	f5	big-ip_wan_optimization_manager	10.2.0	Yes
Application	f5	big-ip_wan_optimization_manager	10.2.1	Yes
Application	f5	big-ip_wan_optimization_manager	10.2.2	Yes
Application	f5	big-ip_wan_optimization_manager	10.2.3	Yes
Application	f5	big-ip_wan_optimization_manager	10.2.4	Yes
Application	f5	big-ip_wan_optimization_manager	11.0.0	Yes
Application	f5	big-ip_wan_optimization_manager	11.1.0	Yes
Application	f5	big-ip_wan_optimization_manager	11.2.0	Yes
Application	f5	big-ip_wan_optimization_manager	11.2.1	Yes
Application	f5	big-ip_wan_optimization_manager	11.3.0	Yes
Application	f5	big-ip_application_acceleration_manager	11.4.0	Yes
Application	f5	big-ip_application_acceleration_manager	11.4.1	Yes
Application	f5	big-ip_application_acceleration_manager	11.5.0	Yes
Application	f5	big-ip_application_acceleration_manager	11.5.1	Yes
Application	f5	big-ip_application_acceleration_manager	11.6.0	Yes
Application	f5	big-ip_application_security_manager	10.0.0	Yes
Application	f5	big-ip_application_security_manager	10.1.0	Yes
Application	f5	big-ip_application_security_manager	10.2.0	Yes
Application	f5	big-ip_application_security_manager	10.2.1	Yes
Application	f5	big-ip_application_security_manager	10.2.2	Yes
Application	f5	big-ip_application_security_manager	10.2.3	Yes
Application	f5	big-ip_application_security_manager	10.2.4	Yes
Application	f5	big-ip_application_security_manager	11.0.0	Yes
Application	f5	big-ip_application_security_manager	11.1.0	Yes
Application	f5	big-ip_application_security_manager	11.2.0	Yes
Application	f5	big-ip_application_security_manager	11.2.1	Yes
Application	f5	big-ip_application_security_manager	11.3.0	Yes
Application	f5	big-ip_application_security_manager	11.4.0	Yes
Application	f5	big-ip_application_security_manager	11.4.1	Yes
Application	f5	big-ip_application_security_manager	11.5.0	Yes
Application	f5	big-ip_application_security_manager	11.5.1	Yes
Application	f5	big-ip_application_security_manager	11.6.0	Yes
Application	f5	big-ip_advanced_firewall_manager	11.3.0	Yes
Application	f5	big-ip_advanced_firewall_manager	11.4.0	Yes
Application	f5	big-ip_advanced_firewall_manager	11.4.1	Yes
Application	f5	big-ip_advanced_firewall_manager	11.5.0	Yes
Application	f5	big-ip_advanced_firewall_manager	11.5.1	Yes
Application	f5	big-ip_advanced_firewall_manager	11.6.0	Yes
Application	f5	big-ip_webaccelerator	10.0.0	Yes
Application	f5	big-ip_webaccelerator	10.1.0	Yes
Application	f5	big-ip_webaccelerator	10.2.0	Yes
Application	f5	big-ip_webaccelerator	10.2.1	Yes
Application	f5	big-ip_webaccelerator	10.2.2	Yes
Application	f5	big-ip_webaccelerator	10.2.3	Yes
Application	f5	big-ip_webaccelerator	10.2.4	Yes
Application	f5	big-ip_webaccelerator	11.0.0	Yes
Application	f5	big-ip_webaccelerator	11.1.0	Yes
Application	f5	big-ip_webaccelerator	11.2.0	Yes
Application	f5	big-ip_webaccelerator	11.2.1	Yes
Application	f5	big-ip_webaccelerator	11.3.0	Yes
Application	f5	big-ip_analytics	11.0.0	Yes
Application	f5	big-ip_analytics	11.1.0	Yes
Application	f5	big-ip_analytics	11.2.0	Yes
Application	f5	big-ip_analytics	11.2.1	Yes
Application	f5	big-ip_analytics	11.3.0	Yes
Application	f5	big-ip_analytics	11.4.0	Yes
Application	f5	big-ip_analytics	11.4.1	Yes
Application	f5	big-ip_analytics	11.5.0	Yes
Application	f5	big-ip_analytics	11.5.1	Yes
Application	f5	big-ip_analytics	11.6.0	Yes
Application	f5	big-ip_link_controller	10.0.0	Yes
Application	f5	big-ip_link_controller	10.1.0	Yes
Application	f5	big-ip_link_controller	10.2.0	Yes
Application	f5	big-ip_link_controller	10.2.1	Yes
Application	f5	big-ip_link_controller	10.2.2	Yes
Application	f5	big-ip_link_controller	10.2.3	Yes
Application	f5	big-ip_link_controller	10.2.4	Yes
Application	f5	big-ip_link_controller	11.0.0	Yes
Application	f5	big-ip_link_controller	11.1.0	Yes
Application	f5	big-ip_link_controller	11.2.0	Yes
Application	f5	big-ip_link_controller	11.2.1	Yes
Application	f5	big-ip_link_controller	11.3.0	Yes
Application	f5	big-ip_link_controller	11.4.0	Yes
Application	f5	big-ip_link_controller	11.4.1	Yes
Application	f5	big-ip_link_controller	11.5.0	Yes
Application	f5	big-ip_link_controller	11.5.1	Yes
Application	f5	big-ip_link_controller	11.6.0	Yes
Application	f5	big-ip_application_security_manager	10.0.0	Yes
Application	f5	big-ip_application_security_manager	10.1.0	Yes
Application	f5	big-ip_application_security_manager	10.2.0	Yes
Application	f5	big-ip_application_security_manager	10.2.1	Yes
Application	f5	big-ip_application_security_manager	10.2.2	Yes
Application	f5	big-ip_application_security_manager	10.2.3	Yes
Application	f5	big-ip_application_security_manager	10.2.4	Yes
Application	f5	big-ip_application_security_manager	11.0.0	Yes
Application	f5	big-ip_application_security_manager	11.1.0	Yes
Application	f5	big-ip_application_security_manager	11.2.0	Yes
Application	f5	big-ip_application_security_manager	11.2.1	Yes
Application	f5	big-ip_application_security_manager	11.3.0	Yes
Application	f5	big-ip_application_security_manager	11.4.0	Yes
Application	f5	big-ip_application_security_manager	11.4.1	Yes
Application	f5	big-ip_application_security_manager	11.5.0	Yes
Application	f5	big-ip_application_security_manager	11.5.1	Yes
Application	f5	big-ip_application_security_manager	11.6.0	Yes
Application	f5	enterprise_manager	3.0.0	Yes
Application	f5	enterprise_manager	3.1.0	Yes
Application	f5	enterprise_manager	3.1.1	Yes
Hardware	f5	enterprise_manager	2.1.0	Yes
Hardware	f5	enterprise_manager	2.2.0	Yes
Hardware	f5	enterprise_manager	2.3.0	Yes
Application	f5	big-ip_local_traffic_manager	10.0.0	Yes
Application	f5	big-ip_local_traffic_manager	10.1.0	Yes
Application	f5	big-ip_local_traffic_manager	10.2.0	Yes
Application	f5	big-ip_local_traffic_manager	10.2.1	Yes
Application	f5	big-ip_local_traffic_manager	10.2.2	Yes
Application	f5	big-ip_local_traffic_manager	10.2.3	Yes
Application	f5	big-ip_local_traffic_manager	10.2.4	Yes
Application	f5	big-ip_local_traffic_manager	11.0.0	Yes
Application	f5	big-ip_local_traffic_manager	11.1.0	Yes
Application	f5	big-ip_local_traffic_manager	11.2.0	Yes
Application	f5	big-ip_local_traffic_manager	11.2.1	Yes
Application	f5	big-ip_local_traffic_manager	11.3.0	Yes
Application	f5	big-ip_local_traffic_manager	11.4.0	Yes
Application	f5	big-ip_local_traffic_manager	11.4.1	Yes
Application	f5	big-ip_local_traffic_manager	11.5.0	Yes
Application	f5	big-ip_local_traffic_manager	11.5.1	Yes
Application	f5	big-ip_local_traffic_manager	11.6.0	Yes
Application	f5	big-ip_edge_gateway	10.1.0	Yes
Application	f5	big-ip_edge_gateway	10.2.0	Yes
Application	f5	big-ip_edge_gateway	10.2.1	Yes
Application	f5	big-ip_edge_gateway	10.2.2	Yes
Application	f5	big-ip_edge_gateway	10.2.3	Yes
Application	f5	big-ip_edge_gateway	10.2.4	Yes
Application	f5	big-ip_edge_gateway	11.0.0	Yes
Application	f5	big-ip_edge_gateway	11.1.0	Yes
Application	f5	big-ip_edge_gateway	11.2.0	Yes
Application	f5	big-ip_edge_gateway	11.2.1	Yes
Application	f5	big-ip_edge_gateway	11.3.0	Yes

References

http://packetstormsecurity.com/files/128915/F5-Big-IP-11.3.0.39.0-XML-External-Entity-Injection-1.html Exploit ([email protected])
http://seclists.org/fulldisclosure/2014/Oct/128 ([email protected])
http://seclists.org/fulldisclosure/2014/Oct/129 ([email protected])
http://seclists.org/fulldisclosure/2014/Oct/130 ([email protected])
http://www.securityfocus.com/bid/70834 Exploit ([email protected])
http://www.securitytracker.com/id/1031144 ([email protected])
http://www.securitytracker.com/id/1031145 ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/98402 ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/98403 ([email protected])
https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15605.html Vendor Advisory ([email protected])
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6032/ ([email protected])
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6033/ ([email protected])
http://packetstormsecurity.com/files/128915/F5-Big-IP-11.3.0.39.0-XML-External-Entity-Injection-1.html Exploit (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2014/Oct/128 (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2014/Oct/129 (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2014/Oct/130 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/70834 Exploit (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1031144 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1031145 (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/98402 (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/98403 (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15605.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6032/ (af854a3a-2127-422b-91ae-364da2661108)
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6033/ (af854a3a-2127-422b-91ae-364da2661108)