CVE Vulnerabilities

CVE-2018-15326

Improper Certificate Validation

Published: Oct 31, 2018 | Modified: Dec 13, 2018
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6 MEDIUM
AV:N/AC:M/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

In some situations on BIG-IP APM 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.2, the CRLDP Auth access policy agent may treat revoked certificates as valid when the BIG-IP APM system fails to download a new Certificate Revocation List.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Big-ip_access_policy_manager F5 11.6.0 (including) 11.6.3.2 (including)
Big-ip_access_policy_manager F5 12.1.0 (including) 12.1.3.5 (including)
Big-ip_access_policy_manager F5 13.0.0 (including) 13.1.0.7 (including)
Big-ip_access_policy_manager F5 14.0.0 (including) 14.0.0.2 (including)

Potential Mitigations

References