F5 Networks BIG-IP : Python and Jython vulnerability (K53192206)

medium Nessus Plugin ID 101912
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote device is missing a vendor-supplied security patch.


** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib

- fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x.
NOTE: this was REJECTed because it is incompatible with CNT1 'Independently Fixable' in the CVE Counting Decisions. (CVE-2013-1752)

It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.

Important : The status of CVE-2013-1752 was changed to REJECT by MITRE because it did not meet the criteria for the CNT1 CVE counting rule.
However, the original vulnerabilities were addressed in the versions indicated in the Security Advisory Status section of this article. For more information, refer to CVE Counting Rules. This link takes you to a resource outside of AskF5, and the third-party could remove the document without our knowledge.


This vulnerability allows a malicious server to send extremely long responses, causing excessive memory usage on a client in order to cause a denial of service (DoS).


Upgrade to one of the non-vulnerable versions listed in the F5 Solution K53192206.

See Also




Plugin Details

Severity: Medium

ID: 101912

File Name: f5_bigip_SOL53192206.nasl

Version: 3.7

Type: local

Published: 7/24/2017

Updated: 3/10/2021

Dependencies: f5_bigip_detect.nbin

Configuration: Enable paranoid mode

Risk Information


Risk Factor: Low

Score: 3.6


Risk Factor: Medium

Base Score: 5

Temporal Score: 4.3

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/a:f5:big-ip_webaccelerator, cpe:/h:f5:big-ip, cpe:/h:f5:big-ip_protocol_security_manager

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 7/21/2017

Vulnerability Publication Date: 6/3/2019

Reference Information

CVE: CVE-2013-1752

BID: 63804