CVE-2018-5502

moderate-risk

Published 2018-03-22

On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disrupt services on the BIG-IP system with maliciously crafted client certificate. This vulnerability affects virtual servers associated with Client SSL profile which enables the use of client certificate authentication. Client certificate authentication is not enabled by default in Client SSL profile. There is no control plane exposure.

Do I need to act?

0.42% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (13)

Big-Ip Access Policy Manager

Big-Ip Advanced Firewall Manager

Big-Ip Analytics

Big-Ip Application Acceleration Manager

Big-Ip Application Security Manager

Big-Ip Domain Name System

Big-Ip Edge Gateway

Big-Ip Global Traffic Manager

Big-Ip Link Controller

Big-Ip Local Traffic Manager

Big-Ip Policy Enforcement Manager

Big-Ip Webaccelerator

Big-Ip Websafe

Affected Vendors

References (4)

Third Party Advisory http://www.securitytracker.com/id/1040561

Vendor Advisory https://support.f5.com/csp/article/K43121447

Third Party Advisory http://www.securitytracker.com/id/1040561

Vendor Advisory https://support.f5.com/csp/article/K43121447

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 17/34 · Moderate