8.5

CVE-2017-6167

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, race conditions in iControl REST may lead to commands being executed with different privilege levels than expected.

Data is provided by the National Vulnerability Database (NVD)
F5Big-ip Local Traffic Manager Version >= 12.1.0 <= 12.1.2
F5Big-ip Local Traffic Manager Version13.0.0
F5Big-ip Application Acceleration Manager Version >= 12.1.0 <= 12.1.2
F5Big-ip Advanced Firewall Manager Version >= 12.1.0 <= 12.1.2
F5Big-ip Analytics Version >= 12.1.0 <= 12.1.2
F5Big-ip Analytics Version13.0.0
F5Big-ip Access Policy Manager Version >= 12.1.0 <= 12.1.2
F5Big-ip Access Policy Manager Version13.0.0
F5Big-ip Application Security Manager Version >= 12.1.0 <= 12.1.2
F5Big-ip Dns Version >= 12.1.0 <= 12.1.2
F5Big-ip Dns Version13.0.0
F5Big-ip Link Controller Version >= 12.1.0 <= 12.1.2
F5Big-ip Link Controller Version13.0.0
F5Big-ip Policy Enforcement Manager Version >= 12.1.0 <= 12.1.2
F5Big-ip Websafe Version >= 12.1.0 <= 12.1.2
F5Big-ip Websafe Version13.0.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.31% 0.538
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 1.6 5.9
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 8.5 6.8 10
AV:N/AC:M/Au:S/C:C/I:C/A:C
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

http://www.securitytracker.com/id/1040053
Third Party Advisory
VDB Entry
https://support.f5.com/csp/article/K24465120
Vendor Advisory
Issue Tracking