CVE-2017-6144

Published: Oct 20, 2017Modified: May 13, 2026

7.4

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.2 / Impact: 5.2

Source: NVD

Description

In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified. Attackers in a privileged network position may be able to launch a man-in-the-middle attack against these connections. TAC databases are used in BIG-IP PEM for Device Type and OS (DTOS) and Tethering detection. Customers not using BIG-IP PEM, not configuring downloads of TAC database files, or not using HTTP for that download are not affected.

Affected (3)

Products: F5: Big Ip Policy Enforcement Manager

1 product

Big Ip Policy Enforcement Manager

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
F5 Big Ip Policy Enforcement Manager	Version 12.1.0
F5 Big Ip Policy Enforcement Manager	Version 12.1.1
F5 Big Ip Policy Enforcement Manager	Version 12.1.2

Related CWEs

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (2)

https://support.f5.com/csp/article/K81601350

Source: f5sirt@f5.com

MitigationVendor Advisory

https://support.f5.com/csp/article/K81601350

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.