ID

VAR-201810-0914


CVE

CVE-2018-15321


TITLE

plural F5 Vulnerabilities related to authorization, authority, and access control in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-011702

DESCRIPTION

When BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.2.1-11.5.6, BIG-IQ Centralized Management 5.0.0-5.4.0 or 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, iWorkflow 2.1.0-2.3.0, or Enterprise Manager 3.1.1 is licensed for Appliance Mode, Admin and Resource administrator roles can by-pass BIG-IP Appliance Mode restrictions to overwrite critical system files. Attackers of high privilege level are able to overwrite critical system files which bypasses security controls in place to limit TMSH commands. This is possible with an administrator or resource administrator roles when granted TMSH. Resource administrator roles must have TMSH access in order to perform this attack. plural F5 The product contains vulnerabilities related to authorization, permissions, and access control.Information may be tampered with. F5 BIG-IP and so on are all products of F5 Company in the United States. F5 BIG-IP is an all-in-one network device that integrates functions such as network traffic management, application security management, and load balancing. BIG-IQ Centralized Management is a software-based cloud management solution. Security flaws exist in several F5 products. The following products and versions are affected: F5 BIG-IP version 14.0.0 to version 14.0.0.2, version 13.0.0 to version 13.1.0.5, version 12.1.0 to version 12.1.3.5, version 11.6.0 to version 11.6.3.2 , version 11.2.1 to 11.5.6; BIG-IQ Centralized Management version 5.0.0 to version 5.4.0, version 4.6.0; BIG-IQ Cloud and Orchestration version 1.0.0O; iWorkflow version 2.1.0 to 2.3.0 Version; Enterprise Manager version 3.1.1

Trust: 1.71

sources: NVD: CVE-2018-15321 // JVNDB: JVNDB-2018-011702 // VULHUB: VHN-125569

AFFECTED PRODUCTS

vendor:f5model:big-iq cloud and orchestrationscope:eqversion:1.0.0

Trust: 1.6

vendor:f5model:enterprise managerscope:eqversion:3.1.1

Trust: 1.6

vendor:f5model:big-iq centralized managementscope:eqversion:4.6.0

Trust: 1.6

vendor:f5model:big-ip policy enforcement managerscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip protocol security modulescope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:iworkflowscope:gteversion:2.1.0

Trust: 1.0

vendor:f5model:big-ip protocol security modulescope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip protocol security modulescope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-iq centralized managementscope:lteversion:5.4.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip protocol security modulescope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip protocol security modulescope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:iworkflowscope:lteversion:2.3.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip protocol security modulescope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip protocol security modulescope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip protocol security modulescope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:11.6.3.2

Trust: 1.0

vendor:f5model:big-ip protocol security modulescope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:14.0.0.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-iq centralized managementscope:gteversion:5.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip protocol security modulescope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:13.1.0.7

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:12.1.3.5

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:gteversion:11.6.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:11.5.6

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:11.2.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced firewall managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip analyticsscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application acceleration managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip domain name systemscope: - version: -

Trust: 0.8

vendor:f5model:big-ip edge gatewayscope: - version: -

Trust: 0.8

vendor:f5model:big-ip enterprise managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope: - version: -

Trust: 0.8

vendor:f5model:big-ip global traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip link controllerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip local traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip policy enforcement managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip protocol security modulescope: - version: -

Trust: 0.8

vendor:f5model:big-ip webacceleratorscope: - version: -

Trust: 0.8

vendor:f5model:big-iq centralized managementscope: - version: -

Trust: 0.8

vendor:f5model:big-iq cloud and orchestrationscope: - version: -

Trust: 0.8

vendor:f5model:iworkflowscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application acceleration managerscope:eqversion:14.0.0

Trust: 0.6

vendor:f5model:big-ip webacceleratorscope:eqversion:13.0.0

Trust: 0.6

vendor:f5model:big-ip local traffic managerscope:eqversion:11.6.3

Trust: 0.6

vendor:f5model:big-ip webacceleratorscope:eqversion:14.0.0

Trust: 0.6

vendor:f5model:big-ip webacceleratorscope:eqversion:12.1.3

Trust: 0.6

vendor:f5model:big-ip local traffic managerscope:eqversion:11.6.2

Trust: 0.6

vendor:f5model:big-ip analyticsscope:eqversion:11.2.1

Trust: 0.6

sources: CNNVD: CNNVD-201810-1540 // JVNDB: JVNDB-2018-011702 // NVD: CVE-2018-15321

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-15321
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-15321
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201810-1540
value: MEDIUM

Trust: 0.6

VULHUB: VHN-125569
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-15321
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125569
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-15321
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-125569 // CNNVD: CNNVD-201810-1540 // JVNDB: JVNDB-2018-011702 // NVD: CVE-2018-15321

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.1

problemtype:CWE-264

Trust: 0.9

sources: VULHUB: VHN-125569 // JVNDB: JVNDB-2018-011702 // NVD: CVE-2018-15321

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1540

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201810-1540

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011702

PATCH

title:K01067037url:https://support.f5.com/csp/article/K01067037

Trust: 0.8

title:Multiple F5 Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86515

Trust: 0.6

sources: CNNVD: CNNVD-201810-1540 // JVNDB: JVNDB-2018-011702

EXTERNAL IDS

db:NVDid:CVE-2018-15321

Trust: 2.5

db:JVNDBid:JVNDB-2018-011702

Trust: 0.8

db:CNNVDid:CNNVD-201810-1540

Trust: 0.7

db:VULHUBid:VHN-125569

Trust: 0.1

sources: VULHUB: VHN-125569 // CNNVD: CNNVD-201810-1540 // JVNDB: JVNDB-2018-011702 // NVD: CVE-2018-15321

REFERENCES

url:https://support.f5.com/csp/article/k01067037

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15321

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-15321

Trust: 0.8

sources: VULHUB: VHN-125569 // CNNVD: CNNVD-201810-1540 // JVNDB: JVNDB-2018-011702 // NVD: CVE-2018-15321

SOURCES

db:VULHUBid:VHN-125569
db:CNNVDid:CNNVD-201810-1540
db:JVNDBid:JVNDB-2018-011702
db:NVDid:CVE-2018-15321

LAST UPDATE DATE

2026-06-19T23:30:24.175000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-125569date:2019-10-03T00:00:00
db:CNNVDid:CNNVD-201810-1540date:2019-10-23T00:00:00
db:JVNDBid:JVNDB-2018-011702date:2019-01-18T00:00:00
db:NVDid:CVE-2018-15321date:2026-06-17T01:42:15.523

SOURCES RELEASE DATE

db:VULHUBid:VHN-125569date:2018-10-31T00:00:00
db:CNNVDid:CNNVD-201810-1540date:2018-11-01T00:00:00
db:JVNDBid:JVNDB-2018-011702date:2019-01-18T00:00:00
db:NVDid:CVE-2018-15321date:2018-10-31T14:29:00.470