CVE-2015-3628

Name of the Vulnerable Software and Affected Versions F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM versions 11.3.0 through 11.5.3 before HF2 and 11.6.0 before 11.6.0 HF6 F5 BIG-IP AAM versions 11.4.0 through 11.5.3 before HF2 and 11.6.0 before 11.6.0 HF6 F5 BIG-IP Edge Gateway, WebAccelerator, and WOM version 11.3.0 F5 BIG-IP GTM versions 11.3.0 through 11.6.0 before HF6 F5 BIG-IP PSM versions 11.3.0 through 11.4.1 F5 Enterprise Manager versions 3.1.0 through 3.1.1 F5 BIG-IQ Cloud and Security versions 4.0.0 through 4.5.0 F5 BIG-IQ Device versions 4.2.0 through 4.5.0 F5 BIG-IQ ADC version 4.5.0

Description The issue allows remote authenticated users with the "Resource Administrator" role to gain privileges via an iCall script or handler in a SOAP request to "iControl/iControlPortal.cgi".

Recommendations For F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM versions 11.3.0 through 11.5.3 before HF2 and 11.6.0 before 11.6.0 HF6, update to a version with the fix. For F5 BIG-IP AAM versions 11.4.0 through 11.5.3 before HF2 and 11.6.0 before 11.6.0 HF6, update to a version with the fix. For F5 BIG-IP Edge Gateway, WebAccelerator, and WOM version 11.3.0, update to a version with the fix. For F5 BIG-IP GTM versions 11.3.0 through 11.6.0 before HF6, update to a version with the fix. For F5 BIG-IP PSM versions 11.3.0 through 11.4.1, update to a version with the fix. For F5 Enterprise Manager versions 3.1.0 through 3.1.1, update to a version with the fix. For F5 BIG-IQ Cloud and Security versions 4.0.0 through 4.5.0, update to a version with the fix. For F5 BIG-IQ Device versions 4.2.0 through 4.5.0, update to a version with the fix. For F5 BIG-IQ ADC version 4.5.0, update to a version with the fix.