CVE Vulnerabilities

CVE-2015-8021

Improper Access Control

Published: Apr 12, 2016 | Modified: Nov 28, 2016
CVSS 3.x
4.3
MEDIUM
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

Incomplete blacklist vulnerability in the Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, Link Controller, and PSM 11.x before 11.2.1 HF11, 11.3.x, 11.4.0 before HF8, and 11.4.1 before HF6; BIG-IP AAM 11.4.0 before HF8 and 11.4.1 before HF6; BIG-IP AFM and PEM 11.3.x, 11.4.0 before HF8, and 11.4.1 before HF6; and BIG-IP Edge Gateway, WebAccelerator, and WOM 11.x before 11.2.1 HF11 and 11.3.0 allows remote authenticated users to upload files via uploadImage.php.

Weakness

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Affected Software

Name Vendor Start Version End Version
Big-ip_access_policy_manager F5 11.0.0 11.0.0
Big-ip_link_controller F5 11.1.0 11.1.0
Big-ip_access_policy_manager F5 11.1.0 11.1.0
Big-ip_analytics F5 11.4.1 11.4.1
Big-ip_edge_gateway F5 11.2.0 11.2.0
Big-ip_protocol_security_module F5 11.2.1 11.2.1
Big-ip_link_controller F5 11.4.0 11.4.0
Big-ip_protocol_security_module F5 11.4.1 11.4.1
Big-ip_edge_gateway F5 11.3.0 11.3.0
Big-ip_local_traffic_manager F5 11.0.0 11.0.0
Big-ip_wan_optimization_manager F5 11.1.0 11.1.0
Big-ip_local_traffic_manager F5 11.2.1 11.2.1
Big-ip_wan_optimization_manager F5 11.2.1 11.2.1
Big-ip_edge_gateway F5 11.2.1 11.2.1
Big-ip_local_traffic_manager F5 11.2.0 11.2.0
Big-ip_global_traffic_manager F5 11.0.0 11.0.0
Big-ip_analytics F5 11.0.0 11.0.0
Big-ip_global_traffic_manager F5 11.4.0 11.4.0
Big-ip_wan_optimization_manager F5 11.3.0 11.3.0
Big-ip_advanced_firewall_manager F5 11.3.0 11.3.0
Big-ip_analytics F5 11.2.1 11.2.1
Big-ip_webaccelerator F5 11.2.0 11.2.0
Big-ip_global_traffic_manager F5 11.3.0 11.3.0
Big-ip_application_security_manager F5 11.1.0 11.1.0
Big-ip_analytics F5 11.2.0 11.2.0
Big-ip_global_traffic_manager F5 11.2.0 11.2.0
Big-ip_application_security_manager F5 11.4.0 11.4.0
Big-ip_application_acceleration_manager F5 11.4.1 11.4.1
Big-ip_application_security_manager F5 11.4.1 11.4.1
Big-ip_local_traffic_manager F5 11.3.0 11.3.0
Big-ip_wan_optimization_manager F5 11.0.0 11.0.0
Big-ip_analytics F5 11.3.0 11.3.0
Big-ip_webaccelerator F5 11.3.0 11.3.0
Big-ip_local_traffic_manager F5 11.4.1 11.4.1
Big-ip_protocol_security_module F5 11.2.0 11.2.0
Big-ip_access_policy_manager F5 11.2.1 11.2.1
Big-ip_edge_gateway F5 11.0.0 11.0.0
Big-ip_local_traffic_manager F5 11.1.0 11.1.0
Big-ip_protocol_security_module F5 11.4.0 11.4.0
Big-ip_webaccelerator F5 11.0.0 11.0.0
Big-ip_advanced_firewall_manager F5 11.4.1 11.4.1
Big-ip_wan_optimization_manager F5 11.2.0 11.2.0
Big-ip_global_traffic_manager F5 11.2.1 11.2.1
Big-ip_link_controller F5 11.4.1 11.4.1
Big-ip_protocol_security_module F5 11.3.0 11.3.0
Big-ip_application_security_manager F5 11.3.0 11.3.0
Big-ip_policy_enforcement_manager F5 11.4.0 11.4.0
Big-ip_application_security_manager F5 11.0.0 11.0.0
Big-ip_webaccelerator F5 11.1.0 11.1.0
Big-ip_edge_gateway F5 11.1.0 11.1.0
Big-ip_access_policy_manager F5 11.4.0 11.4.0
Big-ip_link_controller F5 11.2.0 11.2.0
Big-ip_webaccelerator F5 11.2.1 11.2.1
Big-ip_application_security_manager F5 11.2.0 11.2.0
Big-ip_link_controller F5 11.0.0 11.0.0
Big-ip_analytics F5 11.4.0 11.4.0
Big-ip_protocol_security_module F5 11.1.0 11.1.0
Big-ip_link_controller F5 11.2.1 11.2.1
Big-ip_policy_enforcement_manager F5 11.4.1 11.4.1
Big-ip_analytics F5 11.1.0 11.1.0
Big-ip_global_traffic_manager F5 11.1.0 11.1.0
Big-ip_advanced_firewall_manager F5 11.4.0 11.4.0
Big-ip_application_acceleration_manager F5 11.4.0 11.4.0
Big-ip_access_policy_manager F5 11.3.0 11.3.0
Big-ip_policy_enforcement_manager F5 11.3.0 11.3.0
Big-ip_access_policy_manager F5 11.2.0 11.2.0
Big-ip_protocol_security_module F5 11.0.0 11.0.0
Big-ip_local_traffic_manager F5 11.4.0 11.4.0
Big-ip_link_controller F5 11.3.0 11.3.0
Big-ip_application_security_manager F5 11.2.1 11.2.1
Big-ip_access_policy_manager F5 11.4.1 11.4.1

Extended Description

Access control involves the use of several protection mechanisms such as:

When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses:

Potential Mitigations

  • Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

References