CVE-2022-44370

CVE-2022-44370 affects NASM v2.16, with a heap buffer overflow in the quote_for_pmake() function (asm/nasm.c:856). Connected advisories (Gentoo GLSA-202312-09 and EulerOS-SA entries) reference this vulnerability, and vendor advisories suggest upgrading NASM to a fixed release (Gentoo: >=nasm-2...

K30425568: Overview of F5 vulnerabilities (October 2022)

Security Advisory Description On October 19, 2022, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associate...

K22843911: F5 Path MTU Discovery vulnerability CVE-2015-7759

Security Advisory Description BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, Link Controller, and PEM 12.0.0 before HF1, when the TCP profile for a virtual server is configured with Congestion Metrics Cache enabled, allow remote attackers to cause a denial of service Traffic Management Microkernel TM...

K29149494: iControl REST vulnerability CVE-2019-6637

Security Advisory Description Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated...

K04280042: BIG-IP ASM vulnerability CVE-2019-6650

Security Advisory Description F5 BIG-IP ASM may expose sensitive information and allow the system configuration to be modified when using non-default settings. CVE-2019-6650 Impact The vulnerability is only present on multi-bladed systems VIPRION with BIG-IP ASM provisioned, on the following...

K11830089: BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2022-41617

Security Advisory Description When the F5 BIG-IP Advanced WAF or BIG-IP ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iControl REST interface. CVE-2022-41617 Impact On systems deployed in Standard or Appliance mode, this vulnerability may all...

K10366: BIND vulnerability - CVE-2009-0696

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of F5...

K02694732: BIG-IP Advanced WAF and ASM bd vulnerability CVE-2022-41691

Security Advisory Description When an F5 BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. CVE-2022-41691 Impact Traffic is disrupted while the bd process restarts. This vulnerability allows a remote...

K06440657: BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Security Advisory Description The upload functionality in BIG-IP Advanced WAF and ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint. CVE-2021-23001 Impact An authenticated malicious user can upload malicious files to use in...

K80945213: BIG-IP ASM and F5 Advanced WAF attack signature check failure security exposure

Security Advisory Description A BIG-IP ASM and F5 Advanced Web Application Firewall Advanced WAF attack signature check may fail to detect and block certain GET requests when cross-site request forgery CSRF protection is enabled. Impact Attackers may be able to bypass BIG-IP ASM and Advanced WAF...

K18570111: BIG-IP ASM and Advanced WAF WebSocket vulnerability CVE-2021-23010

Security Advisory Description When the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON content profile in the ASM security policy, the BIG-IP ASM bd process may produce a core file. CVE-2021-23010 Impact When this vulnerability is exploited, t...

K55237223: BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

Security Advisory Description DOM-based XSS on DoS Profile properties page. CVE-2021-22993 Impact An attacker can inject a malicious script into the BIG-IP Advanced WAF and ASM Configuration utility and trick users into executing malicious code. Security Advisory Status F5 Product Development has...

K29042031: Multiple Spring Framework vulnerabilities

Security Advisory Description On April 5th, 2018, three new vulnerabilities were published in the popular Java web framework called Spring. Details on these vulnerabilities and exploit code are not yet available, and mitigation details may change if and when the exploit code is available. You can...

K17119920: BIG-IP ASM vulnerability CVE-2016-7472

Security Advisory Description When ASM is provisioned and configured, BIG-IP ASM 12.1.0 and 12.1.1 systems may allow remote attackers to cause a denial of service DoS via a crafted HTTP request. CVE-2016-7472 Impact The BIG-IP ASM system may temporarily fail to process traffic as it recovers from...

K03442392: BIG-IP ASM and Advanced WAF vulnerability CVE-2022-26890

Security Advisory Description When ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate. CVE-2022-26890...

K22251611: Attack signature check security exposure

Security Advisory Description BIG-IP Advanced WAF and BIG-IP ASM systems incorrectly handle certain requests. This issue occurs when the following condition is met: BIG-IP Advanced WAF and BIG-IP ASM handle a malicious request when a parameter with Base64 decoding is enabled. Impact The attack...

K12403422: BIG-IP ASM vulnerability CVE-2018-5541

Security Advisory Description When the BIG-IP ASM system processes HTTP requests, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process. CVE-2018-5541 Impact BIG-IP When this vulnerability is exploited, the BIG-IP ASM system may experience a denial of...

K23432927: The BIG-IP ASM system may redirect a client request to an incorrect URL

Security Advisory Description The BIG-IP ASM system may redirect a client request to an incorrect URL after the client browser passes the client-side integrity defense JavaScript challenge. This issue occurs when all of the following conditions are met: You have enabled the Client Side Integrity...

K18263026: The BIG-IP HTTP parser can incorrectly parse a tab character

Security Advisory Description When scanning a URI, the HTTP parser on the BIG-IP system may periodically treat a tab character as white space, which causes incorrect URI parsing. For example, the BIG-IP system receives the following GET string in an HTTP request: GET \t/admin/ HTTP/1.0\r\n\r\n...

K32055534: Brute Force Attack Prevention feature may erroneously stop prevention before an attack is over

Security Advisory Description The Brute Force Attack Prevention feature may stop prevention before the attack is over. This issue occurs when all of the following conditions are met: You configured the BIG-IP ASM system with many virtual servers hundreds that have web application protection with...