CVE-2019-6609
CRITICALBIG-IP 12.1.1-12.1.4, 13.0.0-13.1.1.3, 14.0.0-14.1.0.1 - Insufficiently Protected Credentials
Title source: llmDescription
Platform dependent weakness. This issue only impacts iSeries platforms. On these platforms, in BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 14.0.0-14.1.0.1, 13.0.0-13.1.1.3, and 12.1.1 HF2-12.1.4, the secureKeyCapable attribute was not set which causes secure vault to not use the F5 hardware support to store the unit key. Instead the unit key is stored in plaintext on disk as would be the case for Z100 systems. Additionally this causes the unit key to be stored in UCS files taken on these platforms.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://support.f5.com/csp/article/K18535734
Scores
CVSS v3
9.8
EPSS
0.0047
EPSS Percentile
64.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-522
Status
published
Products (26)
f5/big-ip_access_policy_manager
12.1.1 hf2
f5/big-ip_access_policy_manager
12.1.2 - 12.1.4.1
f5/big-ip_advanced_firewall_manager
12.1.1 hf2
f5/big-ip_advanced_firewall_manager
12.1.2 - 12.1.4.1
f5/big-ip_analytics
12.1.1 hf2
f5/big-ip_analytics
12.1.2 - 12.1.4.1
f5/big-ip_application_acceleration_manager
12.1.1 hf2
f5/big-ip_application_acceleration_manager
12.1.2 - 12.1.4.1
f5/big-ip_application_security_manager
12.1.1 hf2
f5/big-ip_application_security_manager
12.1.2 - 12.1.4.1
... and 16 more
Published
Apr 15, 2019
Tracked Since
Feb 18, 2026