Vulnerability Note VU#210884
F5 ARX Data Manager contains a SQL injection vulnerability
Original Release date: 17 Jun 2014 | Last revised: 17 Jun 2014

Overview
F5 ARX Data Manager 3.0.0 – 3.1.0 contains a SQL injection vulnerability.

Description
CWE-89: Improper Neutralization of Special Elements used in an SQL Command
F5 ARX Data Manager 3.0.0 – 3.1.0 contains an unspecified SQL injection vulnerability.

Impact
A remote authenticated attacker may be able to run arbitrary SQL commands against the backend database.

Solution
The CERT/CC is currently unaware of a practical solution to this problem. Data Manager 3.x is considered end-of-life by the vendor and will not receive a security fix.
Stop the Service

F5 recommends stopping the Data Manager Service when not in use to mitigate this vulnerability. F5’s SOL15310 document explains how to disable the service.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedF5 Networks, Inc.Affected14 May 201417 Jun 2014If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N

Temporal
5.2
E:F/RL:U/RC:C

Environmental
1.4
CDP:L/TD:L/CR:M/IR:M/AR:L

References

http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html?sr=38021626
http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14791.html
http://cwe.mitre.org/data/definitions/89.html

Credit

Thanks to Andrea Micalizzi (rgod) working with HP’s Zero Day Initiative for reporting this vulnerability to F5.
This document was written by Jared Allar.

Other Information

CVE IDs:
CVE-2014-2949

Date Public:
06 Jun 2014

Date First Published:
17 Jun 2014

Date Last Updated:
17 Jun 2014

Document Revision:
11

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply