Strix
26.1K

CVE-2019-6644

CRITICALCVSS 9.4/10EPSS 1.40%

Last modified

CVE-2019-6644 is a critical-severity vulnerability rated 9.4/10 on the CVSS scale. Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the port is accessible.. EPSS estimates a 1.40% chance of exploitation in the next 30 days.

Description

Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the port is accessible.

Metrics

CVSS 3.1
9.4/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Probability
1.40%

69.1th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
F5Big-Ip Local Traffic Manager>= 12.1.3, <= 12.1.4
F5Big-Ip Local Traffic Manager>= 13.0.0, <= 13.1.2
F5Big-Ip Local Traffic Manager14.0.0
F5Big-Ip Local Traffic Manager14.1.0
F5Big-Ip Advanced Firewall Manager>= 12.1.3, <= 12.1.4
F5Big-Ip Advanced Firewall Manager>= 13.0.0, <= 13.1.2
F5Big-Ip Advanced Firewall Manager14.0.0
F5Big-Ip Advanced Firewall Manager14.1.0
F5Big-Ip Application Acceleration Manager>= 12.1.3, <= 12.1.4
F5Big-Ip Application Acceleration Manager>= 13.0.0, <= 13.1.2
F5Big-Ip Application Acceleration Manager14.0.0
F5Big-Ip Application Acceleration Manager14.1.0
F5Big-Ip Analytics>= 12.1.3, <= 12.1.4
F5Big-Ip Analytics>= 13.0.0, <= 13.1.2
F5Big-Ip Analytics14.0.0
F5Big-Ip Analytics14.1.0
F5Big-Ip Access Policy Manager>= 12.1.3, <= 12.1.4
F5Big-Ip Access Policy Manager>= 13.0.0, <= 13.1.2
F5Big-Ip Access Policy Manager14.0.0
F5Big-Ip Access Policy Manager14.1.0
F5Big-Ip Application Security Manager>= 12.1.3, <= 12.1.4
F5Big-Ip Application Security Manager>= 13.0.0, <= 13.1.2
F5Big-Ip Application Security Manager14.0.0
F5Big-Ip Application Security Manager14.1.0
F5Big-Ip Edge Gateway>= 12.1.3, <= 12.1.4
F5Big-Ip Edge Gateway>= 13.0.0, <= 13.1.2
F5Big-Ip Edge Gateway14.0.0
F5Big-Ip Edge Gateway14.1.0
F5Big-Ip Fraud Protection Service>= 12.1.3, <= 12.1.4
F5Big-Ip Fraud Protection Service>= 13.0.0, <= 13.1.2
F5Big-Ip Fraud Protection Service14.0.0
F5Big-Ip Fraud Protection Service14.1.0
F5Big-Ip Global Traffic Manager>= 12.1.3, <= 12.1.4
F5Big-Ip Global Traffic Manager>= 13.0.0, <= 13.1.2
F5Big-Ip Global Traffic Manager14.0.0
F5Big-Ip Global Traffic Manager14.1.0
F5Big-Ip Link Controller>= 12.1.3, <= 12.1.4
F5Big-Ip Link Controller>= 13.0.0, <= 13.1.2
F5Big-Ip Link Controller14.0.0
F5Big-Ip Link Controller14.1.0
F5Big-Ip Policy Enforcement Manager>= 12.1.3, <= 12.1.4
F5Big-Ip Policy Enforcement Manager>= 13.0.0, <= 13.1.2
F5Big-Ip Policy Enforcement Manager14.0.0
F5Big-Ip Policy Enforcement Manager14.1.0
F5Big-Ip Webaccelerator>= 12.1.3, <= 12.1.4
F5Big-Ip Webaccelerator>= 13.0.0, <= 13.1.2
F5Big-Ip Webaccelerator14.0.0
F5Big-Ip Webaccelerator14.1.0
F5Big-Ip Domain Name System>= 12.1.3, <= 12.1.4
F5Big-Ip Domain Name System>= 13.0.0, <= 13.1.2

Showing 50 of 52 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-6644?
Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the port is accessible.
How severe is CVE-2019-6644?
CVE-2019-6644 has a CVSS score of 9.4/10 (CRITICAL severity). The EPSS model estimates a 1.40% probability of exploitation in the next 30 days.
How do I fix CVE-2019-6644?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-6644?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST