K43310520: BIG-IP TMUI vulnerability CVE-2020-5940

Security Advisory Description A stored cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface TMUI, also known as the BIG-IP Configuration utility. CVE-2020-5940 Impact An authenticated attacker may be able to store JavaScript, which i...

K54082580: BIG-IP CGNAT LSN vulnerability CVE-2022-26517

Security Advisory Description When the BIG-IP CGNAT Large Scale NAT LSN pool is configured on a virtual server and packet filtering is enabled, undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. CVE-2022-26517 For more information about packet filters, refer to th...

K21561554: Linux kernel vulnerability security/apparmor CVE-2019-18814

Security Advisory Description An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aalabelparse fails in aaauditruleinitin security/apparmor/audit.c. CVE-2019-18814 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisor...

K82641075: PHP vulnerability CVE-2018-10545

Security Advisory Description An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpmunix.c makes a PRSETDUMPABLE prctl call, allowing one user in a multiuser...

K17848347: Oracle Java vulnerabilities CVE-2019-2422, CVE-2019-2449, and CVE-2019-2540

Security Advisory Description CVE-2019-2422 Vulnerability in the Java SE component of Oracle Java SE subcomponent: Libraries. Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with...

K15640: GNU C Library (glibc) vulnerabilities CVE-2014-0475, CVE-2014-5119, CVE-2013-4458

Security Advisory Description CVE-2014-0475 Multiple directory traversal vulnerabilities in GNU C Library aka glibc or libc6 before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. dot dot in a 1 LC, 2 LANG, or other...

K14445: Linux kernel vulnerability CVE-2013-2094

Security Advisory Description The perfsweventinit function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type. CVE-2013-2094 Impact Local users may be able to gain privileges through a crafted perfeventopen system call. Security Advisory Status F5 Product...

K54095660: Linux kernel vulnerability CVE-2016-9555

Security Advisory Description The sctpsfootb function in net/sctp/smstatefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service out-of-bounds slab access or possibly have unspecified other impact via...

K31501591: QEMU vulnerability CVE-2017-15118

Security Advisory Description A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu...

K17011311: NodeJS vulnerability CVE-2022-35256

Security Advisory Description The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. CVE-2022-35256 Impact There is no impact; F5 products are not affected by this vulnerability...

K48523069: System Security Services Daemon vulnerability CVE-2015-5292

Security Advisory Description Memory leak in the Privilege Attribute Certificate PAC responder plugin sssdpacplugin.so in System Security Services Daemon SSSD 1.10 before 1.13.1 allows remote authenticated users to cause a denial of service memory consumption via a large number of logins that...

K32525759: Linux kernel vulnerability CVE-2021-3489

Security Advisory Description The eBPF RINGBUF bpfringbufreserve function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fix...

K86005324: Samba vulnerability CVE-2016-2124

Security Advisory Description A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required. CVE-2016-2124 Impact There is no impact; F5 products are not affecte...

K51048910: Eclipse Jetty vulnerability CVE-2021-28169

Security Advisory Description For Eclipse Jetty versions = 9.4.40, = 10.0.2, = 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the...

K91084571: PHP vulnerability CVE-2015-8873

Security Advisory Description Stack consumption vulnerability in Zend/zendexceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service segmentation fault via recursive method calls. CVE-2015-8873 Impact An authenticated...

K31878120: libwebp vulnerabilities CVE-2018-25011 CVE-2020-36328 CVE-2020-36329 CVE-2018-25014

Security Advisory Description A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow was found in PutLE16. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2018-25011 A flaw was found in libwebp in...

K58003591: Apache HTTP server vulnerability CVE-2022-28614

Security Advisory Description The aprwrite function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using aprwrite or aprputs, such as with modluas r:puts function. Modules compiled and distributed separately from...

K12092991: Linux Kernel vulnerability CVE-2020-35519

Security Advisory Description An out-of-bounds OOB memory access flaw was found in x25bind in net/x25/afx25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash o...

K67352212: Apache vulnerabilities CVE-2018-1286, CVE-2018-1294, CVE-2018-1316, CVE-2018-1319, and CVE-2018-1324

Security Advisory Description CVE-2018-1286 In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users. CVE-2018-1294 If a user of Commons-Email typically an application programmer...

K61363039: NTP vulnerability CVE-2019-8936

Security Advisory Description NTP through 4.2.8p12 has a NULL Pointer Dereference. CVE-2019-8936 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported releases for potential vulnerabilit...

K52828640: libcurl vulnerability CVE-2016-8616

Security Advisory Description A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that...

K13400: SSL 3.0/TLS 1.0 vulnerability CVE-2011-3389 and TLS protocol vulnerability CVE-2012-1870

Security Advisory Description CVE-2011-3389 The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows...

K16354: Multiple JavaSE client-side vulnerabilities

Security Advisory Description CVE-2014-6601 Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2015-0412 Unspecified vulnerability in Oracle Java SE 6u85, 7u72,...

K52342540: Java SE vulnerability CVE-2017-10108

Security Advisory Description Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Serialization. Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability...

SOL09422508 - OpenSSL vulnerabilities CVE-2016-6302, CVE-2016-6307, and CVE-2016-6308

Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...

SOL48802597 - Java vulnerabilities CVE-2013-5825 and CVE-2013-5830

Vulnerability Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are...

SOL04127310 - PHP vulnerabilities CVE-2016-3141 and CVE-2016-3142

Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...

SOL17213 - Apache vulnerability CVE-2002-0392

Note: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value. Recommended Action None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL995...

SOL17121 - Linux network subsystem vulnerabilities CVE-2014-8160, CVE-2014-8172, CVE-2014-8173, CVE-2014-9428, CVE-2014-9644, CVE-2015-0274, and CVE-2015-2041

Recommended Action None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents. SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5 critical issue...

SOL16909 - BIND vulnerability CVE-2015-5477

1These versions are vulnerable if a self IP address or management IP address is configured to allow inbound connections on port 53. 2These versions are vulnerable if a DNS profile is configured with the Use BIND Server on BIG-IP option enabled by default. 3These versions are vulnerable if...

SOL16442 - MIT Kerberos 5 vulnerability CVE-2014-9422

Vulnerability Recommended Actions If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not...

SOL15910 - Linux kernel SCTP vulnerabilities CVE-2014-3673 and CVE-2014-3687

Vulnerability Recommended Actions If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not...

SOL15722 - OpenSSL DTLS SRTP Memory Leak CVE-2014-3513

Recommended Action If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version...

SOL4743 - Inadequate validation for TCP segments CVE-2005-0356

Multiple TCP implementations with Protection Against Wrapped Sequence Numbers PAWS with the timestamps option enabled allow remote attackers to cause a denial of service connection loss via a spoofed packet with a large timer value, which causes the host to discard later packets because they appe...

K000150943: PostgreSQL vulnerabilities CVE-2019-10164, CVE-2020-14349, and CVE-2020-14350

Security Advisory Description CVE-2019-10164 PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often...

K000137053: Overview of F5 vulnerabilities (October 2023)

Security Advisory Description Note : F5 is committed to responding quickly to potential vulnerabilities in F5 products. As with all publicly known vulnerabilities, F5 is committed to publishing a response as soon as the vulnerability has been thoroughly investigated. In this case, an external...

K29103455: QEMU 3.0.0 vulnerability CVE-2019-9824

Security Advisory Description tcpemu in slirp/tcpsubr.c aka slirp/src/tcpsubr.c in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure. CVE-2019-9824 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5...

K29146534: SSB Variant 4 vulnerability CVE-2018-3639

Security Advisory Description Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel...

K14673240: Linux kernel vulnerability CVE-2018-20856

Security Advisory Description An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an blkdrainqueue use-after-free because a certain error case is mishandled. CVE-2018-20856 Impact There is no impact; F5 products are not affected by this vulnerability. Security...

K14228: OpenSSH vulnerability CVE-2007-2243

Security Advisory Description OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to...

K14446: OpenSSH vulnerability CVE-2012-0814

Security Advisory Description The authparseoptions function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorizedkeys command options. CVE-2012-0814 Impact This vulnerability may allow remotely-authenticated users to obtain potentially sensitive information...

K63519101: Multiple QEMU vulnerabilities

Security Advisory Description CVE-2014-8106 Heap-based buffer overflow in the Cirrus VGA emulator hw/display/cirrusvga.c in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for...

K62442245: Kernel vulnerability CVE-2016-6828

Security Advisory Description The tcpchecksendhead function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service tcpxmitretransmitqueue use-after-free and system crash vi...

K44415301: Apache Tomcat vulnerability CVE-2020-17527

Security Advisory Description While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the...

K51011533: Expat XML parser vulnerability CVE-2018-20843

Security Advisory Description In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing enough to be usable for denial-of-service attacks. CVE-2018-20843 Impact...

K56331254: Apache HTTP server vulnerability CVE-2021-41524

Security Advisory Description While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No...

K02771314: Oracle Java SE vulnerability CVE-2019-2699

Security Advisory Description Vulnerability in the Java SE component of Oracle Java SE subcomponent: Windows DLL. The supported version that is affected is Java SE: 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise...

K52308021: GNU C Library (glibc) vulnerabilities CVE-2022-23218 and CVE-2022-23219

Security Advisory Description CVE-2022-23218 The deprecated compatibility function svcunixcreate in the sunrpc module of the GNU C Library aka glibc through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a...

K02613439: Linux kernel vulnerability CVE-2017-9076

Security Advisory Description The dccpv6requestrecvsock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890...

K32019083: Linux kernel vulnerability CVE-2019-11815

Security Advisory Description An issue was discovered in rdstcpkillsock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup. CVE-2019-11815 Impact There is no impact; F5 products are not affected by this...