CVE-2018-5548

Name of the Vulnerable Software and Affected Versions BIG-IP APM versions 11.6.0 through 11.6.3

Description The issue concerns the use of an insecure AES ECB mode for the orig uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile. This allows a malicious user to build a redirect URI value using different blocks of cipher texts.

Recommendations For BIG-IP APM versions 11.6.0 through 11.6.3, consider restricting access to the undisclosed /vdesk link of APM virtual server configured with an access profile until a fix is available. As a temporary workaround, avoid using the orig uri parameter in the affected link to minimize the risk of exploitation.