F5 BIG-IP icon   F5 BIG-IP – Vulnerability!! CVE-2020-5902 – Remote Code Execution (RCE)



Security Advisory Description

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. (CVE-2020-5902)

Description

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

Product Branch Versions known to be vulnerable Fixes introduced in Severity CVSSv3 score1 Vulnerable component or feature
BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM) 15.x 15.1.0 15.1.0.4 Critical 10.0 TMUI/Configuration utility
15.0.0 None
14.x 14.1.0 – 14.1.2 14.1.2.6
13.x 13.1.0 – 13.1.3 13.1.3.4
12.x 12.1.0 – 12.1.5 12.1.5.2
11.x 11.6.1 – 11.6.5 11.6.5.2

 

References:
https://support.f5.com/csp/article/K52145254

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *