Vulnerabilities > CVE-2019-19150 - Information Exposure Through Log Files vulnerability in F5 Big-Ip Access Policy Manager

CVSS 3.5 - LOW

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

CWE-532

nessus

NVD

Published: 2019-12-23

Updated: 2019-12-30

Summary

On versions 15.0.0-15.0.1.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, the BIG-IP APM system logs the client-session-id when a per-session policy is attached to the virtual server with debug logging enabled.

Vulnerable Configurations

Part	Description	Count
Application	F5 F5 BIG IP Access Policy Manager 11.6.1 F5 BIG IP Access Policy Manager 11.6.2 F5 BIG IP Access Policy Manager 11.6.3 F5 BIG IP Access Policy Manager 11.6.3.1 F5 BIG IP Access Policy Manager 11.6.3.2 F5 BIG IP Access Policy Manager 11.6.3.3 F5 BIG IP Access Policy Manager 11.6.3.4 F5 BIG IP Access Policy Manager 11.6.4 F5 BIG IP Access Policy Manager 12.1.0 F5 BIG IP Access Policy Manager 12.1.1 F5 BIG IP Access Policy Manager 12.1.2 F5 BIG IP Access Policy Manager 12.1.3 F5 BIG IP Access Policy Manager 12.1.3.1 F5 BIG IP Access Policy Manager 12.1.3.2 F5 BIG IP Access Policy Manager 12.1.3.3 F5 BIG IP Access Policy Manager 12.1.3.4 F5 BIG IP Access Policy Manager 12.1.3.5 F5 BIG IP Access Policy Manager 12.1.3.6 F5 BIG IP Access Policy Manager 12.1.3.7 F5 BIG IP Access Policy Manager 12.1.4 F5 BIG IP Access Policy Manager 12.1.4.1 F5 BIG IP Access Policy Manager 12.1.4.2 F5 BIG IP Access Policy Manager 13.1.0 F5 BIG IP Access Policy Manager 13.1.0.1 F5 BIG IP Access Policy Manager 13.1.0.2 F5 BIG IP Access Policy Manager 13.1.0.3 F5 BIG IP Access Policy Manager 13.1.0.4 F5 BIG IP Access Policy Manager 13.1.0.5 F5 BIG IP Access Policy Manager 13.1.0.6 F5 BIG IP Access Policy Manager 13.1.0.7 F5 BIG IP Access Policy Manager 13.1.0.8 F5 BIG IP Access Policy Manager 13.1.1 F5 BIG IP Access Policy Manager 13.1.1.1 F5 BIG IP Access Policy Manager 13.1.1.2 F5 BIG IP Access Policy Manager 13.1.1.3 F5 BIG IP Access Policy Manager 13.1.1.4 F5 BIG IP Access Policy Manager 13.1.1.5 F5 BIG IP Access Policy Manager 13.1.2 F5 BIG IP Access Policy Manager 13.1.3 F5 BIG IP Access Policy Manager 13.1.3.1 F5 BIG IP Access Policy Manager 14.0.0 F5 BIG IP Access Policy Manager 14.0.0.2 F5 BIG IP Access Policy Manager 14.0.0.4 F5 BIG IP Access Policy Manager 14.0.0.5 F5 BIG IP Access Policy Manager 14.0.1 F5 BIG IP Access Policy Manager 14.1.0 F5 BIG IP Access Policy Manager 14.1.0.1 F5 BIG IP Access Policy Manager 14.1.0.2 F5 BIG IP Access Policy Manager 14.1.0.3 F5 BIG IP Access Policy Manager 14.1.0.3.0.79.6 F5 BIG IP Access Policy Manager 14.1.0.3.0.97.6 F5 BIG IP Access Policy Manager 14.1.0.3.0.99.6 F5 BIG IP Access Policy Manager 14.1.0.5 F5 BIG IP Access Policy Manager 14.1.0.5.0.15.5 F5 BIG IP Access Policy Manager 14.1.0.5.0.36.5 F5 BIG IP Access Policy Manager 14.1.0.5.0.40.5 F5 BIG IP Access Policy Manager 14.1.0.6 F5 BIG IP Access Policy Manager 14.1.0.6.0.11.9 F5 BIG IP Access Policy Manager 14.1.0.6.0.14.9 F5 BIG IP Access Policy Manager 14.1.0.6.0.68.9 F5 BIG IP Access Policy Manager 14.1.0.6.0.70.9 F5 BIG IP Access Policy Manager 14.1.2 F5 BIG IP Access Policy Manager 14.1.2-0.0.37 F5 BIG IP Access Policy Manager 14.1.2-0.89.37 F5 BIG IP Access Policy Manager 14.1.2.0.11.37 F5 BIG IP Access Policy Manager 14.1.2.0.18.37 F5 BIG IP Access Policy Manager 14.1.2.0.32.37 F5 BIG IP Access Policy Manager 15.0.0 F5 BIG IP Access Policy Manager 15.0.1 F5 BIG IP Access Policy Manager 15.0.1.0.33.11 F5 BIG IP Access Policy Manager 15.0.1.0.48.11 F5 BIG IP Access Policy Manager 15.0.1.1 F5 BIG IP Access Policy Manager 15.0.1.2 F5 BIG IP Access Policy Manager 15.0.1.3 F5 BIG IP Access Policy Manager 15.0.1.4 F5 BIG IP Access Policy Manager 15.1.0	79

Common Weakness Enumeration (CWE)

CWE-532 - Information Exposure Through Log Files

Common Attack Pattern Enumeration and Classification (CAPEC)

Fuzzing and observing application log data/errors for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Nessus

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL37890841.NASL
description	The BIG-IP APM system logs the client-session-id when a per-session policy is attached to the virtual server with debug logging enabled.(CVE-2019-19150) Impact The BIG-IP APM system logs the client-session-id in the log files and is available to authenticated administrators of the system.
last seen	2020-04-23
modified	2019-12-31
plugin id	132565
published	2019-12-31
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132565
title	F5 Networks BIG-IP : BIG-IP APM logging disclosure vulnerability (K37890841)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution K37890841. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(132565); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/22"); script_cve_id("CVE-2019-19150"); script_name(english:"F5 Networks BIG-IP : BIG-IP APM logging disclosure vulnerability (K37890841)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "The BIG-IP APM system logs the client-session-id when a per-session policy is attached to the virtual server with debug logging enabled.(CVE-2019-19150) Impact The BIG-IP APM system logs the client-session-id in the log files and is available to authenticated administrators of the system." ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K37890841" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution K37890841." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-19150"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "K37890841"; vmatrix = make_array(); # APM vmatrix["APM"] = make_array(); vmatrix["APM"]["affected" ] = make_list("15.0.0-15.0.1","14.1.0-14.1.2","14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.6.1-11.6.5"); vmatrix["APM"]["unaffected"] = make_list("15.1.0","15.0.1.3","14.1.2.1","14.0.1.1","13.1.3.2","12.1.5.1"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_note(port:0, extra:bigip_report_get()); else security_note(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running the affected module APM"); }

References

https://support.f5.com/csp/article/K37890841