search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

F5 ARX Data Manager contains a SQL injection vulnerability

Vulnerability Note VU#210884

Original Release Date: 2014-06-17 | Last Revised: 2014-06-17

Overview

F5 ARX Data Manager 3.0.0 - 3.1.0 contains a SQL injection vulnerability.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command

F5 ARX Data Manager 3.0.0 - 3.1.0 contains an unspecified SQL injection vulnerability.

Impact

A remote authenticated attacker may be able to run arbitrary SQL commands against the backend database.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Data Manager 3.x is considered end-of-life by the vendor and will not receive a security fix.

Stop the Service

F5 recommends stopping the Data Manager Service when not in use to mitigate this vulnerability. F5's SOL15310 document explains how to disable the service.

Vendor Information

210884
 
Expand all

F5 Networks, Inc. Affected

Notified:  May 14, 2014 Updated: June 17, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N
Temporal 5.2 E:F/RL:U/RC:C
Environmental 1.4 CDP:L/TD:L/CR:M/IR:M/AR:L

References

Acknowledgements

Thanks to Andrea Micalizzi (rgod) working with HP's Zero Day Initiative for reporting this vulnerability to F5.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2014-2949
Date Public: 2014-06-06
Date First Published: 2014-06-17
Date Last Updated: 2014-06-17 20:13 UTC
Document Revision: 12

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis