K24465120: iControl REST vulnerability CVE-2017-6167

Security Advisory Description Race conditions in iControl REST may lead to commands executed with different privilege levels than expected. CVE-2017-6167 Impact Sending asynchronous tasks using the iControl REST API may be processed as the wrong user and result in an error. Security Advisory Stat...

K55580033: iControl REST vulnerability CVE-2022-35728

Security Advisory Description An authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. CVE-2022-35728 Impact A remote unauthenticated attacker may be able to reuse, for a limited time, an authenticated user's iControl REST...

K50310001: BIG-IP and BIG-IQ iControl SOAP vulnerability CVE-2022-34851

Security Advisory Description An authenticated attacker may cause iControl SOAP to become unavailable through undisclosed requests. CVE-2022-34851 Impact This vulnerability allows a remote authenticated attacker with at least guest role privileges to send undisclosed requests to iControl SOAP,...

K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Security Advisory Description The iControl REST interface has an unauthenticated remote command execution vulnerability. CVE-2021-22986 Impact This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and se...

K59904248: iControl SOAP vulnerability CVE-2022-29474

Security Advisory Description A directory traversal vulnerability exists in iControl SOAP that allows an authenticated attacker with at least guest role privileges to read wsdl files in the BIG-IP file system. CVE-2022-29474 Impact An authenticated attacker with at least guest role privileges may...

K65460334: Expat XML parser vulnerability CVE-2012-6702

Security Advisory Description Expat, when used in a parser that has not called XMLSetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. CVE-2012-6702 Impact An attacker m...

K25595031: zxfrd vulnerability CVE-2020-27725

Security Advisory Description zxfrd leaks memory when listing DNS zones. Zones can be listed via TMSH, iControl or SNMP; only users with access to those services can trigger this vulnerability. CVE-2020-27725 Impact The memory leak by the zxfrd process eventually causes the system to experience a...

K22317030: iControl REST vulnerability CVE-2017-6145

Security Advisory Description iControl REST includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens...

K83043359: Apache HTTPD vulnerability CVE-2017-3169

Security Advisory Description In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, modssl may dereference a NULL pointer when third-party modules call aphookprocessconnection during an HTTP request to an HTTPS port. CVE-2017-3169 Impact When the vulnerability is exploited, the Apachehttpd...

K20606443: iControl REST CSRF vulnerability CVE-2020-5922

Security Advisory Description iControl REST does not implement cross-site request forgery CSRF protections for users applying basic authentication in a web browser. CVE-2020-5922 Impact In a successful exploit, an attacker can run JavaScript in the context of the currently logged-in user. For an...

K11742742: iControl REST vulnerability CVE-2022-23023

Security Advisory Description Undisclosed requests by an authenticated iControl REST user can cause an increase in memory resource utilization. CVE-2022-23023 Impact System performance can degrade until the process is either forced to restart or is manually restarted. This vulnerability allows an...

K53990093: iControl REST vulnerability CVE-2019-6646

Security Advisory Description REST users with guest privileges may be able to escalate their privileges and run commands with admin privileges. CVE-2019-6646 Impact Users with guest privileges are able to exploit this vulnerability to escalate their access privileges. Security Advisory Status F5...

K36942191: Advanced WAF and BIG-IP ASM MySQL database vulnerability CVE-2021-23053

Security Advisory Description When the brute force protection feature of ASM/Adv WAF is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. CVE-2021-23053...

K99998454: iControl REST vulnerability CVE-2016-5021

Security Advisory Description The iControl REST service in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.5.x before 11.5.4, 11.6.x before 11.6.1, and 12.x before 12.0.0 HF3; BIG-IP DNS 12.x before 12.0.0 HF3; BIG-IP GTM 11.5.x before 11.5.4 and 11.6.x before 11.6.1;...

K22384173: iControl REST vulnerability CVE-2019-6641

Security Advisory Description Undisclosed requests can cause iControl REST processes to crash. The attack can only come from an authenticated user; all roles are capable of performing the attack. Unauthenticated users cannot perform this attack. CVE-2019-6641 Impact BIG-IP When this vulnerability...

K20059815: iControl REST vulnerability CVE-2020-5943

Security Advisory Description When a BIG-IP object is created or listed through the REST interface, the protected fields are obfuscated in the REST response, not protected via a SecureVault cryptogram as TMSH does. One example of protected fields is the GTM monitor password. CVE-2020-5943 Impact ...

K77313277: BIG-IP iControl and tmsh vulnerability CVE-2018-15325

Security Advisory Description In BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, iControl and TMSH usage by authenticated users may leak a small amount of memory when executing commands. CVE-2018-15325 Impact This vulnerability may lead to an out-of-memory condition in the BIG-IP control plane,...

K53197140: BIG-IP iControl REST and tmsh vulnerabilities CVE-2022-26835

Security Advisory Description Directory traversal vulnerabilities exist in undisclosed iControl REST endpoints and TMOS Shell tmsh commands in F5 BIG-IP Guided Configuration, which may allow an authenticated attacker with at least resource administrator role privileges to read arbitrary files...

K66851119: F5 TMUI XSS vulnerability CVE-2021-22994

Security Advisory Description Undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. This vulnerability is due to an incomplete fix for CVE-2020-5948. CVE-2021-22994 Impa...

K61105950: iControl REST logs a plaintext password when the syntax of a cURL request is incorrect

Security Advisory Description The BIG-IP system logs the device password in plaintext. This issue occurs when the following condition is met: There are one or more syntax errors in the POST body of a REST token request. Impact Disclosure of the BIG-IP system's device password can lead to other...