Details of VAR-201712-0669

ID

VAR-201712-0669

CVE

CVE-2017-6139

TITLE

F5 BIG-IP APM Vulnerability related to information leakage from log files in software

Trust: 0.8

sources: JVNDB: JVNDB-2017-011681

DESCRIPTION

In F5 BIG-IP APM software version 13.0.0 and 12.1.2, under rare conditions, the BIG-IP APM system appends log details when responding to client requests. Details in the log file can vary; customers running debug mode logging with BIG-IP APM are at highest risk. F5 BIG-IP APM is prone to an information-disclosure vulnerability. Successfully exploiting this issue may allow attackers to obtain sensitive information. This may lead to other attacks. Pulse Connect Secure and Desktop Client are prone to a local information-disclosure vulnerability. The following versions and products are vulnerable: Versions prior to Desktop Client 9.0R3, and 5.3R7 Versions prior to Pulse Connect Secure 9.0R3, 8.3R7, and 8.1R14. F5 BIG-IP Access Policy Manager (APM) is a set of access and security solutions from F5 Corporation of the United States. The solution provides unified access to business-critical applications and networks

Trust: 2.52

sources: NVD: CVE-2017-6139 // JVNDB: JVNDB-2017-011681 // BID: 107884 // BID: 106186 // BID: 107881 // VULHUB: VHN-114342

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.2	Trust: 2.4
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.0.0	Trust: 2.4
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2019	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3054	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.5130	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.7021	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.1025	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.4	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.3054	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.4.2034	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.5075	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.1047	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.217	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.2043	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.3.4027	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.629	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.140	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.185	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.4235	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.5182	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3046	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3051	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.14018	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.5004	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.133	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.3050	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3041	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.7	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.5112	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.5116	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.5125	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2017	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2001	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.7059	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.2016	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.3.2039	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.9266	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.8057	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.4004	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.1012	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.4014	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.6073	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.0	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.2	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.6	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.8066	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.4.243	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2011	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.9231	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.1003	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.2052	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.0.48	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.5118	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.495	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.6005	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.254	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2014	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.3.5017	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.9353	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.128	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.7073	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.1	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.1(8)	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.136	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.1	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2010	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.5131	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3055	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.3.1095	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.202	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2006	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.5080	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.0.51	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.3.3086	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.3	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.5	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.5187	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2018	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.2	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.7030	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.4.1054	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	ne	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	ne	version:	13.0.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	ne	version:	12.1.3	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 9.0r2	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 9.0r1	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.3r6	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.3r5	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.3r4	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.3r1	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r7	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r6	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r5	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r4	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r3	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r2	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r13	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r12	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r10	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r1	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure desktop client 9.0r2	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure desktop client 9.0r1	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure desktop client 5.3r6	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure desktop client 5.3r1	scope:	-	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 9.0r3	scope:	ne	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.3r7	scope:	ne	version:	-	Trust: 0.3
vendor:	pulse	model:	secure pulse connect secure 8.1r14	scope:	ne	version:	-	Trust: 0.3
vendor:	pulse	model:	secure desktop client 9.0r3	scope:	ne	version:	-	Trust: 0.3
vendor:	pulse	model:	secure desktop client 5.3r7	scope:	ne	version:	-	Trust: 0.3

sources: BID: 107884 // BID: 106186 // BID: 107881 // JVNDB: JVNDB-2017-011681 // NVD: CVE-2017-6139 // CNNVD: CNNVD-201702-781

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-6139
value:	MEDIUM
Trust: 1.8
CNNVD:	CNNVD-201702-781
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114342
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2017-6139
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-114342
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	3.6
version:	3.0
Trust: 1.0
NVD:	CVE-2017-6139
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-114342 // JVNDB: JVNDB-2017-011681 // NVD: CVE-2017-6139 // CNNVD: CNNVD-201702-781

PROBLEMTYPE DATA

problemtype:

CWE-532

Trust: 1.9

sources: VULHUB: VHN-114342 // JVNDB: JVNDB-2017-011681 // NVD: CVE-2017-6139

THREAT TYPE

local

Trust: 0.6

sources: BID: 107884 // BID: 107881

TYPE

Design Error

Trust: 0.6

sources: BID: 107884 // BID: 107881

CONFIGURATIONS

sources: NVD: CVE-2017-6139

PATCH

title:	K45432295	url:	https://support.f5.com/csp/article/k45432295	Trust: 0.8
title:	F5 BIG-IP Access Policy Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=91637	Trust: 0.6

sources: JVNDB: JVNDB-2017-011681 // CNNVD: CNNVD-201702-781

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6139	Trust: 2.8
db:	BID	id:	106186	Trust: 2.0
db:	SECTRACK	id:	1040055	Trust: 1.7
db:	CERT/CC	id:	VU#192371	Trust: 1.5
db:	JVNDB	id:	JVNDB-2017-011681	Trust: 0.8
db:	CNNVD	id:	CNNVD-201702-781	Trust: 0.7
db:	BID	id:	107884	Trust: 0.3
db:	PULSESECURE	id:	SA44114	Trust: 0.3
db:	BID	id:	107881	Trust: 0.3
db:	VULHUB	id:	VHN-114342	Trust: 0.1

sources: VULHUB: VHN-114342 // BID: 107884 // BID: 106186 // BID: 107881 // JVNDB: JVNDB-2017-011681 // NVD: CVE-2017-6139 // CNNVD: CNNVD-201702-781

REFERENCES

url:	http://www.securityfocus.com/bid/106186	Trust: 2.3
url:	https://support.f5.com/csp/article/k45432295	Trust: 2.0
url:	http://www.securitytracker.com/id/1040055	Trust: 1.7
url:	https://www.kb.cert.org/vuls/id/192371/	Trust: 1.5
url:	http://www.f5.com/products/big-ip/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6139	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6139	Trust: 0.8
url:	http://www.cisco.com/en/us/products/ps10884/index.html	Trust: 0.3
url:	https://www.pulsesecure.net/	Trust: 0.3
url:	https://kb.pulsesecure.net/articles/pulse_security_advisories/sa44114/	Trust: 0.3

sources: VULHUB: VHN-114342 // BID: 107884 // BID: 106186 // BID: 107881 // JVNDB: JVNDB-2017-011681 // NVD: CVE-2017-6139 // CNNVD: CNNVD-201702-781

CREDITS

National Defense ISAC Remote Access Working Group

Trust: 0.6

sources: BID: 107884 // BID: 107881

SOURCES

db:	VULHUB	id:	VHN-114342
db:	BID	id:	107884
db:	BID	id:	106186
db:	BID	id:	107881
db:	JVNDB	id:	JVNDB-2017-011681
db:	NVD	id:	CVE-2017-6139
db:	CNNVD	id:	CNNVD-201702-781

LAST UPDATE DATE

2023-12-18T12:00:22.982000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-114342	date:	2019-04-12T00:00:00
db:	BID	id:	107884	date:	2019-04-11T00:00:00
db:	BID	id:	106186	date:	2019-04-12T08:00:00
db:	BID	id:	107881	date:	2019-04-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-011681	date:	2018-01-24T00:00:00
db:	NVD	id:	CVE-2017-6139	date:	2019-04-12T10:29:00.447
db:	CNNVD	id:	CNNVD-201702-781	date:	2019-04-15T00:00:00

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-114342	date:	2017-12-21T00:00:00
db:	BID	id:	107884	date:	2019-04-11T00:00:00
db:	BID	id:	106186	date:	2017-12-21T00:00:00
db:	BID	id:	107881	date:	2019-04-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-011681	date:	2018-01-24T00:00:00
db:	NVD	id:	CVE-2017-6139	date:	2017-12-21T17:29:00.560
db:	CNNVD	id:	CNNVD-201702-781	date:	2017-02-23T00:00:00