CVE-2019-6684
First published: Mon Dec 23 2019(Updated: )
On versions 15.0.0-15.0.1.1, 14.0.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, under certain conditions, a multi-bladed BIG-IP Virtual Clustered Multiprocessing (vCMP) may drop broadcast packets when they are rebroadcast to the vCMP guest secondary blades. An attacker can leverage the fragmented broadcast IP packets to perform any type of fragmentation-based attack.
Credit: f5sirt@f5.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| F5 Access Policy Manager | >=11.5.2<=11.6.5 | |
| F5 Access Policy Manager | >=12.1.0<=12.1.5 | |
| F5 Access Policy Manager | >=13.0.0<13.1.3.2 | |
| F5 Access Policy Manager | >=14.0.0<14.1.2.3 | |
| F5 Access Policy Manager | >=15.0.0<15.1.0 | |
| F5 BIG-IP Advanced Firewall Manager | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Advanced Firewall Manager | >=12.1.0<=12.1.5 | |
| F5 BIG-IP Advanced Firewall Manager | >=13.0.0<13.1.3.2 | |
| F5 BIG-IP Advanced Firewall Manager | >=14.0.0<14.1.2.3 | |
| F5 BIG-IP Advanced Firewall Manager | >=15.0.0<15.1.0 | |
| F5 BIG-IP Analytics | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Analytics | >=12.1.0<=12.1.5 | |
| F5 BIG-IP Analytics | >=13.0.0<13.1.3.2 | |
| F5 BIG-IP Analytics | >=14.0.0<14.1.2.3 | |
| F5 BIG-IP Analytics | >=15.0.0<15.1.0 | |
| F5 BIG-IP Application Acceleration Manager | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Application Acceleration Manager | >=12.1.0<=12.1.5 | |
| F5 BIG-IP Application Acceleration Manager | >=13.0.0<13.1.3.2 | |
| F5 BIG-IP Application Acceleration Manager | >=14.0.0<14.1.2.3 | |
| F5 BIG-IP Application Acceleration Manager | >=15.0.0<15.1.0 | |
| F5 Application Security Manager | >=11.5.2<=11.6.5 | |
| F5 Application Security Manager | >=12.1.0<=12.1.5 | |
| F5 Application Security Manager | >=13.0.0<13.1.3.2 | |
| F5 Application Security Manager | >=14.0.0<14.1.2.3 | |
| F5 Application Security Manager | >=15.0.0<15.1.0 | |
| F5 BIG-IP | >=11.5.2<=11.6.5 | |
| F5 BIG-IP | >=12.1.0<=12.1.5 | |
| F5 BIG-IP | >=13.0.0<13.1.3.2 | |
| F5 BIG-IP | >=14.0.0<14.1.2.3 | |
| F5 BIG-IP | >=15.0.0<15.1.0 | |
| F5 BIG-IP Fraud Protection Service | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Fraud Protection Service | >=12.1.0<=12.1.5 | |
| F5 BIG-IP Fraud Protection Service | >=13.0.0<13.1.3.2 | |
| F5 BIG-IP Fraud Protection Service | >=14.0.0<14.1.2.3 | |
| F5 BIG-IP Fraud Protection Service | >=15.0.0<15.1.0 | |
| Riverbed SteelApp Traffic Manager | >=11.5.2<=11.6.5 | |
| Riverbed SteelApp Traffic Manager | >=12.1.0<=12.1.5 | |
| Riverbed SteelApp Traffic Manager | >=13.0.0<13.1.3.2 | |
| Riverbed SteelApp Traffic Manager | >=14.0.0<14.1.2.3 | |
| Riverbed SteelApp Traffic Manager | >=15.0.0<15.1.0 | |
| F5 BIG-IP Link Controller | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Link Controller | >=12.1.0<=12.1.5 | |
| F5 BIG-IP Link Controller | >=13.0.0<13.1.3.2 | |
| F5 BIG-IP Link Controller | >=14.0.0<14.1.2.3 | |
| F5 BIG-IP Link Controller | >=15.0.0<15.1.0 | |
| Riverbed SteelApp Traffic Manager | >=11.5.2<=11.6.5 | |
| Riverbed SteelApp Traffic Manager | >=12.1.0<=12.1.5 | |
| Riverbed SteelApp Traffic Manager | >=13.0.0<13.1.3.2 | |
| Riverbed SteelApp Traffic Manager | >=14.0.0<14.1.2.3 | |
| Riverbed SteelApp Traffic Manager | >=15.0.0<15.1.0 | |
| F5 BIG-IP Policy Enforcement Manager | >=11.5.2<=11.6.5 | |
| F5 BIG-IP Policy Enforcement Manager | >=12.1.0<=12.1.5 | |
| F5 BIG-IP Policy Enforcement Manager | >=13.0.0<13.1.3.2 | |
| F5 BIG-IP Policy Enforcement Manager | >=14.0.0<14.1.2.3 | |
| F5 BIG-IP Policy Enforcement Manager | >=15.0.0<15.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What versions of F5 BIG-IP are affected by CVE-2019-6684?
CVE-2019-6684 affects F5 BIG-IP versions 15.0.0-15.0.1.1, 14.0.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1.
What issue does CVE-2019-6684 introduce in BIG-IP systems?
CVE-2019-6684 may cause a multi-bladed BIG-IP Virtual Clustered Multiprocessing (vCMP) system to drop broadcast packets under certain conditions.
How can CVE-2019-6684 be mitigated in affected systems?
Mitigation for CVE-2019-6684 involves upgrading affected F5 BIG-IP software to versions that do not exhibit the vulnerability.
Is there a workaround for CVE-2019-6684?
There are no specific workarounds available for CVE-2019-6684; upgrading to a fixed version is recommended.
What steps should be taken if my organization is using an affected F5 BIG-IP version in relation to CVE-2019-6684?
Organizations should immediately plan to upgrade to a fixed version of F5 BIG-IP to address the risk associated with CVE-2019-6684.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/author
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/f5
- canonical/f5 access policy manager
- version/f5 access policy manager/11.5.2
- version/f5 access policy manager/11.6.5
- version/f5 access policy manager/12.1.0
- version/f5 access policy manager/12.1.5
- version/f5 access policy manager/13.0.0
- version/f5 access policy manager/14.0.0
- version/f5 access policy manager/15.0.0
- canonical/f5 big-ip advanced firewall manager
- version/f5 big-ip advanced firewall manager/11.5.2
- version/f5 big-ip advanced firewall manager/11.6.5
- version/f5 big-ip advanced firewall manager/12.1.0
- version/f5 big-ip advanced firewall manager/12.1.5
- version/f5 big-ip advanced firewall manager/13.0.0
- version/f5 big-ip advanced firewall manager/14.0.0
- version/f5 big-ip advanced firewall manager/15.0.0
- canonical/f5 big-ip analytics
- version/f5 big-ip analytics/11.5.2
- version/f5 big-ip analytics/11.6.5
- version/f5 big-ip analytics/12.1.0
- version/f5 big-ip analytics/12.1.5
- version/f5 big-ip analytics/13.0.0
- version/f5 big-ip analytics/14.0.0
- version/f5 big-ip analytics/15.0.0
- canonical/f5 big-ip application acceleration manager
- version/f5 big-ip application acceleration manager/11.5.2
- version/f5 big-ip application acceleration manager/11.6.5
- version/f5 big-ip application acceleration manager/12.1.0
- version/f5 big-ip application acceleration manager/12.1.5
- version/f5 big-ip application acceleration manager/13.0.0
- version/f5 big-ip application acceleration manager/14.0.0
- version/f5 big-ip application acceleration manager/15.0.0
- canonical/f5 application security manager
- version/f5 application security manager/11.5.2
- version/f5 application security manager/11.6.5
- version/f5 application security manager/12.1.0
- version/f5 application security manager/12.1.5
- version/f5 application security manager/13.0.0
- version/f5 application security manager/14.0.0
- version/f5 application security manager/15.0.0
- canonical/f5 big-ip
- version/f5 big-ip/11.5.2
- version/f5 big-ip/11.6.5
- version/f5 big-ip/12.1.0
- version/f5 big-ip/12.1.5
- version/f5 big-ip/13.0.0
- version/f5 big-ip/14.0.0
- version/f5 big-ip/15.0.0
- canonical/f5 big-ip fraud protection service
- version/f5 big-ip fraud protection service/11.5.2
- version/f5 big-ip fraud protection service/11.6.5
- version/f5 big-ip fraud protection service/12.1.0
- version/f5 big-ip fraud protection service/12.1.5
- version/f5 big-ip fraud protection service/13.0.0
- version/f5 big-ip fraud protection service/14.0.0
- version/f5 big-ip fraud protection service/15.0.0
- canonical/riverbed steelapp traffic manager
- version/riverbed steelapp traffic manager/11.5.2
- version/riverbed steelapp traffic manager/11.6.5
- version/riverbed steelapp traffic manager/12.1.0
- version/riverbed steelapp traffic manager/12.1.5
- version/riverbed steelapp traffic manager/13.0.0
- version/riverbed steelapp traffic manager/14.0.0
- version/riverbed steelapp traffic manager/15.0.0
- canonical/f5 big-ip link controller
- version/f5 big-ip link controller/11.5.2
- version/f5 big-ip link controller/11.6.5
- version/f5 big-ip link controller/12.1.0
- version/f5 big-ip link controller/12.1.5
- version/f5 big-ip link controller/13.0.0
- version/f5 big-ip link controller/14.0.0
- version/f5 big-ip link controller/15.0.0
- canonical/f5 big-ip policy enforcement manager
- version/f5 big-ip policy enforcement manager/11.5.2
- version/f5 big-ip policy enforcement manager/11.6.5
- version/f5 big-ip policy enforcement manager/12.1.0
- version/f5 big-ip policy enforcement manager/12.1.5
- version/f5 big-ip policy enforcement manager/13.0.0
- version/f5 big-ip policy enforcement manager/14.0.0
- version/f5 big-ip policy enforcement manager/15.0.0