K43429502: OpenSSL RSA key generation vulnerability CVE-2018-0737

Security Advisory Description The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL...

K42910051: OpenSSL vulnerability CVE-2020-1971

Security Advisory Description The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERALNAMEcmp which compares different instances of a GENERALNAME to see if they are equal or not...

K65372933: BIG-IP HTTP/2 vulnerability CVE-2020-5875

Security Advisory Description Under certain conditions, the Traffic Management Microkernel TMM may generate a core file and restart while processing SSL traffic with an HTTP/2 full proxy. CVE-2020-5875 Impact If you have enabled HTTP/2, Message Routing Framework MRF, and SSL, a certain request...

K53084033: OpenSSL vulnerability CVE-2016-2178

Security Advisory Description The dsasignsetup function in crypto/dsa/dsaossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. CVE-2016-2178 Impact An...

K60156735: MySQL vulnerabilities CVE-2017-10276, CVE-2017-10279, CVE-2017-10283, CVE-2017-10284, and CVE-2017-10286

Security Advisory Description CVE-2017-10276 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: FTS. Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network acce...

K26244025: BIG-IP HTTP compression profile vulnerability CVE-2020-5933

Security Advisory Description When a BIG-IP system that has a virtual server configured with an HTTP compression profile processes compressed HTTP message payloads that require deflation, a Slowloris-style attack can trigger an out-of-memory condition on the BIG-IP system. CVE-2020-5933 Impact Th...

K72752002: BIG-IP SSL/TLS CRL vulnerability CVE-2020-5913

Security Advisory Description The BIG-IP Client or Server SSL profile ignores revoked certificates, even when a valid CRL is present. This impacts SSL/TLS connections and may result in a man-in-the-middle attack on the connections. CVE-2020-5913 Impact The BIG-IP system does not enforce Transport...

K12542008: Apache Struts vulnerabilities CVE-2017-9793 and CVE-2017-9804

Security Advisory Description CVE-2017-9793 The REST Plugin in Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. CVE-2017-9804 In Apache Stru...

K46011592: HTTP/2 Empty Frames Flood vulnerability CVE-2019-9518

Security Advisory Description Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or...

K48050136: OpenSSH client vulnerability CVE-2020-14145

Security Advisory Description The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts where no host key for the server has been cached by the...

K48382137: Bootstrap vulnerability CVE-2018-14040

Security Advisory Description In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. CVE-2018-14040 Impact An attacker may exploit this vulnerability to perform a cross-site scripting XSS attack. Security Advisory Status F5 Product Development has assigned ID 767373...

K57211290: IPv6 fragmentation vulnerability CVE-2016-10142

Security Advisory Description An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big PTB messages. The scope of this CVE is all affected IPv6 implementations from all vendors. The security implications of IP fragmentation have been discussed at length in RFC627...

K53632470: PostgreSQL vulnerabilities CVE-2020-25694, CVE-2020-25695

Security Advisory Description CVE-2020-25694 A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while droppi...

K00025388: BIG-IP TMM AWS vulnerability CVE-2020-5856

Security Advisory Description While processing specifically crafted traffic using the default 'xnet' driver, BIG-IP Virtual Edition VE instances hosted in Amazon Web Services AWS may experience a Traffic Management Microkernel TMM restart. CVE-2020-5856 Impact A remote attacker may be able to...

K18549143: OpenSSL vulnerability CVE-2019-1559

Security Advisory Description If an application encounters a fatal protocol error and then calls SSLshutdown twice once to send a closenotify, and once to receive one then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if...

K32412075: AngularJS XSS vulnerability CVE-2020-7676

Security Advisory Description angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code. CVE-2020-7676 Impact An attack...

K19785240: Bootstrap vulnerability CVE-2018-14042

Security Advisory Description In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. CVE-2018-14042 Impact An attacker may exploit this vulnerability to perform a cross-site scripting XSS attack. Security Advisory Status F5 Product Development has assigned ID 767373...

K16090: BIG-IP Automatic Update Check and ASM Automatic Signature Update man-in-the-middle vulnerability CVE-2014-9326

Security Advisory Description The automatic signature update functionality in the 1 Phone Home feature in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, GTM, and Link Controller 11.5.0 through 11.6.0, ASM 10.0.0 through 11.6.0, and PEM 11.3.0 through 11.6.0 and the 2 Call Home feature in ASM 10.0.0...

K15158: OpenSSL vulnerability CVE-2013-6450

Security Advisory Description The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and...

K15500: SSL acceleration card timing vulnerability CVE-2014-4024

Security Advisory Description SSL virtual servers in F5 BIG-IP systems 10.x before 10.2.4 HF9, 11.x before 11.2.1 HF12, 11.3.0 before HF10, 11.4.0 before HF8, 11.4.1 before HF5, 11.5.0 before HF5, and 11.5.1 before HF5, when used with third-party Secure Sockets Layer SSL accelerator cards, might...