Sign-up

ID

VAR-201406-0322


CVE

CVE-2014-2949


TITLE

F5 ARX Data Manager contains a SQL injection vulnerability

Trust: 0.8

sources: CERT/CC: VU#210884

DESCRIPTION

SQL injection vulnerability in the web service in F5 ARX Data Manager 3.0.0 through 3.1.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') http://cwe.mitre.org/data/definitions/89.htmlDepending on the user who can log in to the product, any database on the database referenced by the product SQL The command may be executed. Authentication is not required to exploit this vulnerability. The specific flaw exists within the discoverFilerBasicInfo.jsft page. An attacker is able to inject SQL through the filerName field in this page, and use that to gain full administrator credentials for Data Manager. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. The solution supports data migration, storage tiering, and storage capacity balancing

Trust: 3.33

sources: NVD: CVE-2014-2949 // CERT/CC: VU#210884 // JVNDB: JVNDB-2014-002948 // ZDI: ZDI-14-293 // BID: 68078 // VULHUB: VHN-70888

AFFECTED PRODUCTS

vendor:f5model:arx data managerscope:eqversion:3.0.0

Trust: 1.6

vendor:f5model:arx data managerscope:eqversion:3.1.0

Trust: 1.6

vendor:f5model: - scope: - version: -

Trust: 0.8

vendor:f5model:arx data managerscope:lteversion:3.0.0 from 3.1.0

Trust: 0.8

vendor:f5model:data managerscope: - version: -

Trust: 0.7

sources: CERT/CC: VU#210884 // ZDI: ZDI-14-293 // JVNDB: JVNDB-2014-002948 // CNNVD: CNNVD-201406-420 // NVD: CVE-2014-2949

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2949
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-2949
value: MEDIUM

Trust: 0.8

IPA: JVNDB-2014-002948
value: MEDIUM

Trust: 0.8

ZDI: CVE-2014-2949
value: MEDIUM

Trust: 0.7

CNNVD: CNNVD-201406-420
value: MEDIUM

Trust: 0.6

VULHUB: VHN-70888
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-2949
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2014-2949
severity: MEDIUM
baseScore: 5.5
vectorString: NONE
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

IPA: JVNDB-2014-002948
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

ZDI: CVE-2014-2949
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-70888
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#210884 // ZDI: ZDI-14-293 // VULHUB: VHN-70888 // JVNDB: JVNDB-2014-002948 // CNNVD: CNNVD-201406-420 // NVD: CVE-2014-2949

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-70888 // JVNDB: JVNDB-2014-002948 // NVD: CVE-2014-2949

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-420

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201406-420

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002948

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#210884

PATCH
title:SOL14791 - End of Software Development for Data Manager 3.xurl:http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14791.html
Trust: 0.8
title:SOL15310 - Data Manager SQL Injection Remote Code Execution vulnerability CVE-2014-2949url:http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html?sr=38021626
Trust: 0.8
title:This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.05/02/2014 - ZDI disclosed vulnerability to vendor05/12/2014 - Vendor acknowledged06/16/2014 - ZDI wrote F5 to ask for clarification about:  - Vendor wrote that they notified ZDI of closure on 06/09/2014 (this was not received) and indicated that "our publications team has determined that this release provides the appropriate level of disclosure"06/17/2014 - ZDI acknowledged06/18/2014 - ZDI wrote to confirm mitigation only06/18/2014 - Vendor requested contact06/19/2014 - ZDI replied07/25/2014 - ZDI again wrote to confirm our understanding08/12/2014 - ZDI published advisory-- Vendor Mitigation:To mitigate this vulnerability, you can stop the Data Manager Service when not in use. To do so, perform the following procedure:Impact of action: Performing the following procedure should not have a negative impact on your system.Log in as admin to Data Manager Web Application.In the left navigation tree, click Tasks.Ensure that all tasks are completed (or canceled) before proceeding.Close the Data Manager Web Application.From the Programs menu, open the Data Manager Control Panel.Click the Main tab.In the Service Status section, click the Stop button.When necessary, you can restart the Data Manager Service by clicking the Start button.http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.htmlurl:http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html06/16/2014
Trust: 0.7
sources:
            
            
            ZDI: ZDI-14-293 // 
            
            
            
            JVNDB: JVNDB-2014-002948

EXTERNAL IDS
db:NVDid:CVE-2014-2949
Trust: 3.5
db:CERT/CCid:VU#210884
Trust: 3.3
db:ZDIid:ZDI-14-293
Trust: 1.8
db:BIDid:68078
Trust: 1.4
db:JVNid:JVNVU91561766
Trust: 0.8
db:JVNDBid:JVNDB-2014-002948
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-2308
Trust: 0.7
db:CNNVDid:CNNVD-201406-420
Trust: 0.7
db:VULHUBid:VHN-70888
Trust: 0.1
sources:
            
            
            CERT/CC: VU#210884 // 
            
            
            
            ZDI: ZDI-14-293 // 
            
            
            
            VULHUB: VHN-70888 // 
            
            
            
            BID: 68078 // 
            
            
            
            JVNDB: JVNDB-2014-002948 // 
            
            
            
            CNNVD: CNNVD-201406-420 // 
            
            
            
            NVD: CVE-2014-2949

REFERENCES
url:http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html?sr=38021626
Trust: 3.3
url:http://www.kb.cert.org/vuls/id/210884
Trust: 2.5
url:http://www.securityfocus.com/bid/68078
Trust: 1.1
url:http://www.zerodayinitiative.com/advisories/zdi-14-293/
Trust: 1.1
url:http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14791.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/89.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2949
Trust: 0.8
url:http://jvn.jp/vu/jvnvu91561766/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2949
Trust: 0.8
url:http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html06/16/2014
Trust: 0.7
url:http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html
Trust: 0.7
sources:
            
            
            CERT/CC: VU#210884 // 
            
            
            
            ZDI: ZDI-14-293 // 
            
            
            
            VULHUB: VHN-70888 // 
            
            
            
            JVNDB: JVNDB-2014-002948 // 
            
            
            
            CNNVD: CNNVD-201406-420 // 
            
            
            
            NVD: CVE-2014-2949

CREDITS
Andrea Micalizzi (rgod)
Trust: 0.7
sources:
            
            
            ZDI: ZDI-14-293

SOURCES
db:CERT/CCid:VU#210884
db:ZDIid:ZDI-14-293
db:VULHUBid:VHN-70888
db:BIDid:68078
db:JVNDBid:JVNDB-2014-002948
db:CNNVDid:CNNVD-201406-420
db:NVDid:CVE-2014-2949

LAST UPDATE DATE
2025-04-13T23:22:34.245000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#210884date:2014-06-17T00:00:00
db:ZDIid:ZDI-14-293date:2014-08-12T00:00:00
db:VULHUBid:VHN-70888date:2015-12-04T00:00:00
db:BIDid:68078date:2014-08-14T00:13:00
db:JVNDBid:JVNDB-2014-002948date:2014-06-23T00:00:00
db:CNNVDid:CNNVD-201406-420date:2014-06-20T00:00:00
db:NVDid:CVE-2014-2949date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#210884date:2014-06-17T00:00:00
db:ZDIid:ZDI-14-293date:2014-08-12T00:00:00
db:VULHUBid:VHN-70888date:2014-06-18T00:00:00
db:BIDid:68078date:2014-06-17T00:00:00
db:JVNDBid:JVNDB-2014-002948date:2014-06-18T00:00:00
db:CNNVDid:CNNVD-201406-420date:2014-06-20T00:00:00
db:NVDid:CVE-2014-2949date:2014-06-18T16:55:07.627