cmty-http-f5-big-ip-cve-2020-5902.xml

<?xml version="1.0" encoding="UTF-8"?>
<Vulnerability id="cmty-http-f5-big-ip-cve-2020-5902" published="2020-06-30" added="2020-07-01" modified="2020-07-07" version="2.0">
  <severity>10</severity>
  <cvss>(AV:N/AC:L/Au:N/C:C/I:C/A:C)</cvss>
  <name>F5 Networks: K52145254 (CVE-2020-5902): BIG-IP TMUI RCE vulnerability CVE-2020-5902</name>
  <Tags>
    <tag>F5</tag>
    <tag>F5 BIG-IP</tag>
    <tag>Remote Execution</tag>
    <tag>Rapid7 Critical</tag>
  </Tags>
  <AlternateIds>
    <id name="URL">https://support.f5.com/csp/article/K52145254</id>
    <id name="NVD">CVE-2020-5902</id>
  </AlternateIds>
  <Description>
    <p>In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.</p>
    <p>From K52145254:</p>
    <p>The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in known pages. Successful exploitation of this vulnerability can be leveraged to completely compromise the BIG-IP system through Remote Code Execution.</p><p>This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.</p>
  </Description>
  <Solutions>
    <SolutionRef id="f5-big-ip-upgrade-latest"/>
  </Solutions>
</Vulnerability>