-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3692
Oracle Java SE JAXP vulnerability CVE-2020-14621
27 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IQ Centralized Management
Traffic SDC
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14621
Reference: ASB-2020.0128
ESB-2020.3547
ESB-2020.2436
Original Bulletin:
https://support.f5.com/csp/article/K55053009
- --------------------------BEGIN INCLUDED TEXT--------------------
K55053009:Oracle Java SE JAXP vulnerability CVE-2020-14621
Security Advisory
Original Publication Date: 26 Oct, 2020
Security Advisory Description
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
(component: JAXP). Supported versions that are affected are Java SE: 7u261,
8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable
vulnerability allows unauthenticated attacker with network access via multiple
protocols to compromise Java SE, Java SE Embedded. Successful attacks of this
vulnerability can result in unauthorized update, insert or delete access to
some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can
only be exploited by supplying data to APIs in the specified Component without
using Untrusted Java Web Start applications or Untrusted Java applets, such as
through a web service.(CVE-2020-14621)
Impact
Easily exploitable vulnerability allows unauthenticated attacker with network
access using multiple protocols to compromise Java SE, Java SE Embedded.
Successful attacks of this vulnerability can result in unauthorized update,
insert, or delete access to some of Java SE, Java SE Embedded accessible data.
Security Advisory Status
F5 Product Development has assigned ID 948585 (BIG-IQ) and CPF-25211 (Traffix
SDC) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |16.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |15.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IP (LTM, AAM, +------+----------+----------+ | | |
|Advanced WAF, AFM, |14.x |None |Not | | | |
|Analytics, APM, | | |applicable|Not | | |
|ASM, DDHD, DNS, +------+----------+----------+vulnerable|None |None |
|FPS, GTM, Link |13.x |None |Not | | | |
|Controller, PEM, | | |applicable| | | |
|SSLO) +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |7.0.0 - |Not | | | |
| | |7.1.0 |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |6.0.0 - |Not |High |5.3 |JAXP |
|Management | |6.1.0 |applicable| | | |
| +------+----------+----------+ | | |
| |5.x |5.4.0 |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |5.1.0 |Not |High |5.3 |JAXP |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K15106: Managing BIG-IQ product hotfixes
o K15113: BIG-IQ hotfix and point release matrix
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX5dgiuNLKJtyKPYoAQiukQ//V+FmuynMps3p3vPAsOzeiRD81t4LxQlz
YLwlc24tJRoiQ6BsybXflJh8kG1nPCC5SOVJ21A4x1OwGnQY6axjbwzk7GPiKbm6
eVnXiW0EIGAKtA9+9LlUOc7DPgHKFEUd4bkASm+DrXaCJ58ST+N/LZIznULS80hY
9GbUrEZY+7qgdCrAXznj9lVScSkJ1lgAPZQG6wpsATMc+7BRvBR/2fedAoZcr3hf
nH8cI+dUZs6jIPmU6FiU9JqzZLRO2YDONTRm42jzTdZqGvesKWdbKC3HsNAtvipt
HPTtlQ87cz/EcYUfXL1v5v9te7DS/2EK9etdM8vDSqUFUE7BGmCOnkhxO70nz35D
3AqQjMhUbNe+vTjJP0WUsBKUuSVDPJw/ZR63IHq3ISpgRSJVVC9PXZfEuSzOruC3
JQpF5AHLYClZAFdEdk5XilVD6L2k3S89OIMP/Di4C4HDmxWc6GroEcxxKiGRYKIL
CundAYtfrnhj0tfshanWR3l/hzigTGuZE9Y+rrTqh6DK80Kr1V3MJkzVOTC7dwCs
XE3I3bi459oLcGjtuanEoEBS3GQXcZFLFrO+wqV0p+ZGzS6XD4iWwMfIINnwC6oO
IECg7BU7b1R2fv8Yk8xW0yA5RnbCLKrCS2d8U4M/PsNOmaM59PE6UbhpR07xc36K
amgB++Iccdc=
=jKMg
-----END PGP SIGNATURE-----
The post ESB-2020.3692 – [Appliance] F5 Networks: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2020/10/27/esb-2020-3692-appliance-f5-networks-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3692-appliance-f5-networks-multiple-vulnerabilities
No comments:
Post a Comment