P10, P10 Plus Security Vulnerabilities

CVE-2024-21775 SQL Injection

Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting...

Security Bulletin: IBM Copy Services manager is affected by IBM SDK, Java Technology Edition Quarterly CPU - Oct 2023 - Includes Oracle October 2023 CPU plus CVE-2023-5676

Summary IBM Copy Services Manager is affected by All applicable Java SE CVEs published by Oracle as part of their October 2023 Critical Patch Update plus CVE-2023-5676. Vulnerability Details Refer to the security bulletin(s) listed in the Remediation/Fixes section Affected Products and Versions...

Medium: jetty

Issue Overview: Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely...

K000138628 : python-pip vulnerabilities CVE-2021-3572 and CVE-2023-5752

Security Advisory Description CVE-2021-3572 A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity....

Oracle Linux 8 : openssh (ELSA-2024-12164)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-12164 advisory. The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass...

FreeBSD : nginx-devel -- Multiple Vulnerabilities in HTTP/3 (c97a4ecf-cc25-11ee-b0ee-0050569f0b83)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the c97a4ecf-cc25-11ee-b0ee-0050569f0b83 advisory. When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed...

K000138629 : Python vulnerability CVE-2022-48560

Security Advisory Description A use-after-free exists in Python through 3.9 via heappushpop in heapq. (CVE-2022-48560) Impact There is no impact; F5 products are not affected by this...

CVE-2024-24989

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

CVE-2024-24990

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

CVE-2024-24989

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

CVE-2024-24990

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

CVE-2024-24989

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

CVE-2024-24989

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

CVE-2024-24990

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

CVE-2024-24990

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

Design/Logic Flaw

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

Design/Logic Flaw

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

CVE-2024-24990 NGINX HTTP/3 QUIC vulnerability

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

CVE-2024-24989 NGINX HTTP/3 QUIC vulnerability

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

PINs for Cryptography with Hardware Secure Elements

I'm a big fan of technologies that enable otherwise impossible security properties and user experiences, like cryptography often can. One such technology is hardware secure elements. Here's a thing you can't do with cryptography: encrypt data securely with a low-entropy secret, like a PIN. If a...

FreeBSD-SA-24:01.bhyveload

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:01.bhyveload Security Advisory The FreeBSD Project Topic: bhyveload(8) host file access Category: core Module: bhyeload Announced: 2024-02-14 Credits: The...

K000137334 : F5 Application Visibility and Reporting module and BIG-IP Advanced WAF/ASM vulnerability CVE-2024-23805

Security Advisory Description Undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. For the Application Visibility and Reporting module, this may occur when the HTTP Analytics profile with URLs enabled under Collected Entities is configured on a virtual server and...

K000137796 : BIG-IP SSL profile security exposure

Security Advisory Description The BIG-IP system may not honor the revocation status of a certificate present in the certificate revocation list (CRL) file, potentially allowing unauthorized connections. This issue occurs when all of the following conditions are met: A ClientSSL or ServerSSL...

K000138618 : BIND vulnerability CVE-2023-5680

Security Advisory Description If a resolver cache has a very large number of ECS records stored for the same name, the process of cleaning the cache database node for this name can significantly impair query performance. This issue affects BIND 9 versions 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1...

K000137675 : BIG-IP HTTP/2 vulnerability CVE-2024-23314

Security Advisory Description When HTTP/2 is configured on BIG-IP or BIG-IP Next SPK systems, undisclosed responses can cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2024-23314) Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows a remote...

CVE-2024-24989

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

CVE-2024-24990

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3...

K000132800 : F5OS QKView utility vulnerability CVE-2024-23607

Security Advisory Description A directory traversal vulnerability exists in the F5OS QKView utility that allows an authenticated attacker to read files outside the QKView directory. (CVE-2024-23607) Impact An authenticated attacker may exploit this vulnerability by executing a crafted QKView...

K000137886 : BIG-IP Next CNF vulnerability CVE-2024-23306

Security Advisory Description A vulnerability exists in BIG-IP Next CNF systems that may allow access to undisclosed sensitive files. (CVE-2024-23306) Impact An authenticated attacker may be able to modify or remove undisclosed configuration files causing a loss of confidentiality and other...

K000133111 : F5OS vulnerability CVE-2024-24966

Security Advisory Description When LDAP remote authentication is configured on F5OS, a remote user without an assigned role will be incorrectly authorized. (CVE-2024-24966) Impact This vulnerability may allow an LDAP authenticated attacker to bypass intended access restrictions. There is no data...

K000137595 : BIG-IP AFM signature matching vulnerability CVE-2024-21771

Security Advisory Description For unspecified traffic patterns, BIG-IP AFM IPS engine may spend an excessive amount of time matching the traffic against signatures, resulting in Traffic Management Microkernel (TMM) restarting and traffic disruption. (CVE-2024-21771) Impact When attackers exploit...

K98606833 : BIG-IP and BIG-IQ scp vulnerability CVE-2024-21782

Security Advisory Description BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced Shell (bash) can execute arbitrary commands with a specially crafted command string. This vulnerability is due to an...

Oracle Linux 7 : openssh (ELSA-2024-12157)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-12157 advisory. The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity...

FreeBSD-SA-24:02.tty

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:02.tty Security Advisory The FreeBSD Project Topic: jail(2) information leak Category: core Module: jail Announced: 2024-02-14 Credits: Pawel Jakub Dawidek...

K000137521: BIG-IP AFM vulnerability CVE-2024-21763

Security Advisory Description When BIG-IP AFM Device DoS or DoS profile is configured with NXDOMAIN attack vector and bad actor detection, undisclosed queries can cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2024-21763) Impact Traffic is disrupted while the TMM process...

K000137522 : BIG-IP iControl REST vulnerability CVE-2024-22093

Security Advisory Description When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint on multi-bladed systems. A successful exploit can allow the attacker to cross a security boundary. (CVE-2024-22093) Impact This...

K000134516 : BIG-IP SSL Client Certificate LDAP and CRLDP Authentication profiles vulnerability CVE-2024-23979

Security Advisory Description When an SSL Client Certificate LDAP or Certificate Revocation List Distribution Point (CRLDP) authentication profile is configured on a virtual server, undisclosed requests can cause an increase in CPU resource utilization. (CVE-2024-23979) Impact System performance...

K000138047 : BIG-IP Advanced WAF and BIG-IP ASM Configuration utility vulnerability CVE-2024-23603

Security Advisory Description An SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. (CVE-2024-23603) Impact An authenticated attacker can exploit this vulnerability to execute malicious SQL statements through the BIG-IP Configuration...

K91054692 : BIG-IP Appliance mode iAppsLX vulnerability CVE-2024-23976

Security Advisory Description When running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions utilizing iAppsLX templates on a BIG-IP system. (CVE-2024-23976) Impact An authenticated attacker with local system access and...

K11453402 : BIG-IP Cookie encryption security exposure

Security Advisory Description When HTTP Profile Cookie encryption is enabled, duplicate HTTP cookies may be passed on to back-end servers. This issue occurs when the following condition is met: The virtual server has an HTTP Profile with Cookie Encryption enabled. Impact The back-end pool member...

K000135946 : BIG-IP PEM vulnerability CVE-2024-23982

Security Advisory Description When a BIG-IP PEM classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This issue affects classification engines using signatures released between 09-08-2022 and 02-16-2023.....

K000138353 : Quarterly Security Notification (February 2024)

Security Advisory Description On February 14, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the...

K000138445 : NGINX HTTP/3 QUIC vulnerability CVE-2024-24990

Security Advisory Description When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. (CVE-2024-24990) Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information,....

K000138444 : NGINX HTTP/3 QUIC vulnerability CVE-2024-24989

Security Advisory Description When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. (CVE-2024-24989) Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information,....

K000137416 : BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308

Security Advisory Description When a BIG-IP Advanced WAF or BIG-IP ASM policy with a Request Body Handling option is attached to a virtual server, undisclosed requests can cause the BD process to terminate. The condition results from setting the Request Body Handling option in the Header-Based...

K000137270 : BIG-IP Advanced WAF and BIG-IP ASM and vulnerability CVE-2024-21789

Security Advisory Description When a BIG-IP Advanced WAF/ASM security policy is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. (CVE-2024-21789) Impact System performance can degrade until the bd process is either forced to restart or is...

Oracle Linux 7 : openssh (ELSA-2024-12158)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-12158 advisory. The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity...

K000135873 : BIG-IP Websockets vulnerability CVE-2024-21849

Security Advisory Description When an Advanced WAF/ASM security policy and a Websockets profile are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) process to terminate. (CVE-2024-21849) Impact Traffic is disrupted while the TMM process...

K000137333 : BIG-IP TMM vulnerability CVE-2024-24775

Security Advisory Description When a virtual server is enabled with VLAN group and SNAT listener is configured, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2024-24775) Impact Traffic is disrupted while the TMM process restarts. This vulnerability...

K32544615: BIG-IP iControl REST API vulnerability CVE-2024-22389

Security Advisory Description When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device. (CVE-2024-22389) Impact This vulnerability may allow an authenticated attacker to use deleted or updated API tokens on the peer...