F5 Networks BIG-IP : Python and Jython vulnerability (K53192206)

medium Nessus Plugin ID 101912
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib

- fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x.
NOTE: this was REJECTed because it is incompatible with CNT1 'Independently Fixable' in the CVE Counting Decisions. (CVE-2013-1752)

It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.

Important : The status of CVE-2013-1752 was changed to REJECT by MITRE because it did not meet the criteria for the CNT1 CVE counting rule.
However, the original vulnerabilities were addressed in the versions indicated in the Security Advisory Status section of this article. For more information, refer to CVE Counting Rules. This link takes you to a resource outside of AskF5, and the third-party could remove the document without our knowledge.

Impact

This vulnerability allows a malicious server to send extremely long responses, causing excessive memory usage on a client in order to cause a denial of service (DoS).

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K53192206.

See Also

https://cve.mitre.org/about/faqs.html#reject_signify_in_cve_entry

https://cve.mitre.org/cve/list_rules_and_guidance/counting_rules.html

https://support.f5.com/csp/article/K53192206

Plugin Details

Severity: Medium

ID: 101912

File Name: f5_bigip_SOL53192206.nasl

Version: 3.7

Type: local

Published: 7/24/2017

Updated: 3/10/2021

Dependencies: f5_bigip_detect.nbin

Configuration: Enable paranoid mode

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.3

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/a:f5:big-ip_webaccelerator, cpe:/h:f5:big-ip, cpe:/h:f5:big-ip_protocol_security_manager

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 7/21/2017

Vulnerability Publication Date: 6/3/2019

Reference Information

CVE: CVE-2013-1752

BID: 63804