Third-party Vulnerability

BD is aware of and currently monitoring two F5 Networks vulnerabilities, affecting the BIG-IP Traffic Management User Interface (TMUI). This third-party vulnerability, which F5 Networks corrected with their June 30, 2020 patch release, is not specific to BD or our products. Additionally, we have not received any reports regarding this vulnerability being exploited on BD products.

CVE-2020-5902 is a remote code execution vulnerability in undisclosed pages in the TMUI, or the Configuration utility. This vulnerability affects BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM). The security patch made by F5 Networks addresses this vulnerability.

This vulnerability could potentially allow an unauthenticated user with network access to the TMUI through the BIG-IP management port and/or self IPs to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.

CVE-2020-5903 is a cross-site scripting (XSS) vulnerability that exists in an undisclosed page of the BIG-IP Configuration utility. This vulnerability affects BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM). The security patch made by F5 Networks addresses this vulnerability.

If exploited, this vulnerability could potentially allow an attacker to run JavaScript as the currently logged-in user. If the user is an administrative user with Advanced Shell access, the successful exploitation of this vulnerability can be leveraged to completely compromise the BIG-IP system through remote code execution.