K20541896 : iControl REST and tmsh vulnerability CVE-2019-6621

Security Advisory Description

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin user. This issue impacts both iControl REST and tmsh implementations. (CVE-2019-6621)

Impact

BIG-IP and BIG-IQ

This vulnerability may bypass appliance mode security by allowing the execution of arbitrary****Advanced Shell (bash) commands. In non-Appliance mode deployments, the Administrator and Resource Administrator users already own this level of access. F5 considers this vulnerability a security concern primarily for systems deployed in Appliance mode, though a valid attack vector exists for non-appliance mode systems with users who are not already grantedbashaccess, such as a Resource Administrator, who by default is not explicitly grantedbash access.

Enterprise Manager, F5 iWorkflow, and Traffix SDC

There is no impact; these F5 products are not affected by this vulnerability.