SOL12826 - Java Runtime Environment (JRE) vulnerability: CVE-2010-4476

These F5 product versions use the affected Java function to manage traffic in the Configuration utility. However, the system filters the input value to the function so the value falls within an expected range before the system passes data to the function. These expected ranges of data do not...

SOL12794 - GNU C Library vulnerability CVE-2010-4052

Vulnerability description and product information. Stack consumption vulnerability in the regcomp implementation in the GNU C Library glibc or libc6 through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service. Information about this advisory is...

SOL8171 - Linux kernel IA32 System Call vulnerability - CVE-2007-4573

Vulnerability description This security advisory describes a vulnerability in the Linux kernel which may allow local users to gain elevated privileges using the IA32 system call emulation functionality on 64-bit platforms. Information about this advisory is available at the following location:...

SOL7005 - Overview of MNIN/NNL-Labs Advisory

Future release Obtaining and installing hotfixes F5 recommends you apply the following hotfixes for your specific FirePass version to address the issues presented in these security advisories: Product | Version | Hotfix ---|---|--- FirePass | 6.0.0 | HF-600-8 or later cumulative hotfix FirePass |...

K000148287: Apache Tomcat vulnerability CVE-2019-0232

Security Advisory Description When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The...

K000139611: NGINX HTTP/3 QUIC vulnerability CVE-2024-31079

Security Advisory Description When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection...

K000138650: cURL vulnerability CVE-2023-46218

Security Advisory Description This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It...

K000138577: Python-asyncssh vulnerability CVE-2023-46446

Security Advisory Description An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." CVE-2023-46446 Impact There is no impact; F5 products are not affected by this...

K000138452: Intel CPU BIOS vulnerabilities CVE-2023-25756 and CVE-2023-22329

Security Advisory Description CVE-2023-25756 Out-of-bounds read in the BIOS firmware for some IntelR Processors may allow an authenticated user to potentially enable escalation of privilege via adjacent access. CVE-2023-22329 Improper input validation in the BIOS firmware for some IntelR Processo...

K000133092: cURL vulnerability CVE-2022-43552

Security Advisory Description A use after free vulnerability exists in curl 7.87.0. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can and often do deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET,...

K69334442: Intel Processors RRSBA advisory CVE-2022-28693

Security Advisory Description Unprotected alternative channel of return branch target prediction in some IntelR Processors may allow an authorized user to potentially enable information disclosure via local access. CVE-2022-28693 Impact There is no impact; F5 products are not affected by this...

K23512141: OpenSSL vulnerability CVE-2016-2179

Security Advisory Description The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service memory consumption by maintaining many crafted DTLS...

K35322517: BIND vulnerability CVE-2016-8864

Security Advisory Description named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service assertion failure and daemon exit via a DNAME record in the answer section of a response to a recursive query, related to...

K76444020: OpenJDK vulnerabilities CVE-2019-2933 and CVE-2019-2958

Security Advisory Description CVE-2019-2933 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Libraries. Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows...

K11435435: PHP vulnerability CVE-2020-7070

Security Advisory Description In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like Host confused with cookies that decode to such prefix, thu...

K01225001: Apache Tomcat vulnerability CVE-2017-5664

Security Advisory Description The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to...

K65043534: Multiple INTEL BIOS vulnerabilities

Security Advisory Description CVE-2017-5705 Multiple buffer overflows in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code. CVE-2017-5706 Multiple buffer overflows in kernel in Intel Server Platfo...

K16764: PHP vulnerability CVE-2015-4022

Security Advisory Description Integer overflow in the ftpgenlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. CVE-2015-40...

K16707: cURL and libcurl vulnerability CVE-2015-3148

Security Advisory Description cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. CVE-2015-3148 Impact Remote attackers may be able to re-use Negotiate connections as other user...

K55053009: Oracle Java SE JAXP vulnerability CVE-2020-14621

Security Advisory Description Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: JAXP. Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with...

K25570584: Apache Struts vulnerability CVE-2012-0394

Security Advisory Description DISPUTED The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability...

K33522171: Multiple MySQL vulnerabilities

Security Advisory Description CVE-2020-14550 Vulnerability in the MySQL Client product of Oracle MySQL component: C API. Supported versions that are affected are 5.6.48 and prior, 5.7.30 and prior and 8.0.20 and prior. Difficult to exploit vulnerability allows low privileged attacker with network...

K56480726: Linux kernel vulnerability CVE-2019-8980

Security Advisory Description A memory leak in the kernelreadfile function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service memory consumption by triggering vfsread failures. CVE-2019-8980 Impact There is no impact; F5 products are not affected by thi...

K16833: Linux vulnerability CVE-2014-7826

Security Advisory Description kernel/trace/tracesyscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service invalid pointer dereference via a crafted...

K01324833: NTP vulnerability CVE-2015-8158

Security Advisory Description The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service infinite loop via crafted packets with incorrect values. CVE-2015-8158 Impact When this vulnerability is exploited, an attacke...

K62012529: BIND vulnerability CVE-2016-1286

Security Advisory Description named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service assertion failure and daemon exit via a crafted signature record for a DNAME record, related to db.c and resolver.c. CVE-2016-1286 Impact An attacke...

K15900: Apache HTTP server vulnerability CVE-2012-3499

Security Advisory Description Multiple cross-site scripting XSS vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the 1 modimagemap, 2 modinfo, 3 modlda...

K16442: MIT Kerberos 5 vulnerability CVE-2014-9422

Security Advisory Description The checkrpcsecauth function in kadmin/server/kadmrpcsvc.c in kadmind in MIT Kerberos 5 aka krb5 through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/ authorization check and obtain administrative access...

K01128223: PHP vulnerability CVE-2020-7061

Security Advisory Description In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or...

K05415626: Apache HTTPD vulnerability CVE-2017-7659

Security Advisory Description A maliciously constructed HTTP/2 request could cause modhttp2 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process. CVE-2017-7659 Impact A remote attacker can use a maliciously crafted HTTP/2 request to cause an abnormal termination on the Apache...

K85307687: cURL and libcurl vulnerabilities CVE-2014-3613, CVE-2014-3707, and CVE-2014-8150

Security Advisory Description CVE-2014-3613 cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site...

K25200948: Linux kernel vulnerability CVE-2021-33034

Security Advisory Description In the Linux kernel before 5.12.4, net/bluetooth/hcievent.c has a use-after-free when destroying an hcichan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. CVE-2021-33034 Impact There is no impact; F5 products are not affected by this vulnerability...

K41412302: Jetty vulnerability CVE-2019-10247

Security Advisory Description In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not...

K50222414: Linux kernel vulnerability CVE-2019-11486

Security Advisory Description The Siemens R3964 line discipline driver in drivers/tty/nr3964.c in the Linux kernel before 5.0.8 has multiple race conditions. CVE-2019-11486 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Developme...

K71249196: Python-Pillow vulnerability CVE-2021-25288

Security Advisory Description An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2kugrayi. CVE-2021-25288 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the...

K04107324: Linux kernel vulnerability CVE-2019-3900

Security Advisory Description An infinite loop issue was found in the vhostnet kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handlerx. It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote on...

K16010: GNU C Library (glibc) vulnerability CVE-2014-7817

Security Advisory Description The wordexp function in GNU C Library aka glibc 2.21 does not enforce the WRDENOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$...". CVE-2014-7817 Impact An attacker with local access and...

K63314101: Multiple MySQL vulnerabilities

Security Advisory Description CVE-2022-21451 Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via...

K17245: Linux kernel vulnerability CVE-2014-9584

Security Advisory Description The parserockridgeinodeinternal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference ER System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted...

K54225343: libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705

Security Advisory Description CVE-2016-3627 The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service infinite recursion, stack consumption, and application crash via a crafted XML document...

K27155546: BIND vulnerability CVE-2022-38177

Security Advisory Description By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. CVE-2022-38177 Impact There i...

K63176101: Linux kernel vulnerability CVE-2019-17055

Security Advisory Description basesockcreate in drivers/isdn/mISDN/socket.c in the AFISDN network module in the Linux kernel through 5.3.2 does not enforce CAPNETRAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. CVE-2019-17055 Impact There is no impact; F5...

K04185528: LibTIFF vulnerabilities CVE-2016-3186 CVE-2018-10779 CVE-2018-10963 CVE-2018-12900 CVE-2018-17100 CVE-2018-17101 CVE-2018-18661 CVE-2018-7456 CVE-2018-8905

Security Advisory Description CVE-2016-3186 Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service application crash via a crafted GIF file. CVE-2018-10779 TIFFWriteScanline in tifwrite.c in LibTIFF 3.8.2 has a heap-based...

K43541501: Intel CPU vulnerabilities CVE-2022-21131 and CVE-2022-21136

Security Advisory Description CVE-2022-21131 Improper access control for some IntelR XeonR Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2022-21136 Improper input validation for some IntelR XeonR Processors may allow a privileged use...

K28418435: Java vulnerability CVE-2017-10053

Security Advisory Description Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: 2D. Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows...

K04553557: Linux nfsd kernel vulnerability CVE-2020-24394

Security Advisory Description In the Linux kernel before 5.7.8, fs/nfsd/vfs.c in the NFS server can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered. CVE-2020-24394 Impact The...

K54924436: PHP vulnerability CVE-2015-8865

Security Advisory Description The filecheckmem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service...

K03710547: Linux RPM vulnerability CVE-2017-7501

Security Advisory Description It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content...

K63470526: MySQL vulnerabilities CVE-2018-3203, CVE-2018-3212, CVE-2018-3247, CVE-2018-3251, and CVE-2018-3258

Security Advisory Description CVE-2018-3203 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Optimizer. Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple...

K85332020: Netlink message vulnerability CVE-2016-4486

Security Advisory Description The rtnlfilllinkifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message. CVE-2016-4486 Impact ...