K64721111: vCMP vulnerability CVE-2018-5531

Security Advisory Description Through undisclosed methods, adjacent network attackers can cause a denial of service for vCMP guest and host systems. Attacks must be sourced from an adjacent network Layer 2. CVE-2018-5531 Impact BIG-IP An attacker from an adjacent network may be able to cause a...

K14909: OpenSSL vulnerability CVE-2013-4248

Security Advisory Description The opensslx509parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle...

K96639388: Overview of F5 vulnerabilities (April 2021)

Security Advisory Description On April 28th, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. The details of each issue can be found in the associate...

K05534090: Java vulnerability CVE-2015-4803

Security Advisory Description Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4893 and CVE-2015-4911. CVE-2015-4803...

K53316849: Java vulnerability CVE-2013-5802

Security Advisory Description Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality,...

K15905: Expat vulnerabilities CVE-2009-3560 and CVE-2009-3720

Security Advisory Description CVE-2009-3560 The big2toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service application crash via an XML document with malformed UTF-8 sequences that trigge...

K6919: Cross-site scripting vulnerability in my.activation.php3 CVE-2007-3097

Security Advisory Description Note : Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the ...

K92052341: Linux kernel vulnerability CVE-2021-29266

Security Advisory Description An issue was discovered in the Linux kernel before 5.11.9. drivers/vhost/vdpa.c has a use-after-free because v-configctx has an invalid value upon re-opening a character device, aka CID-f6bbf0010ba0. CVE-2021-29266 Impact There is no impact; F5 products are not...

K55405388: NTP vulnerability CVE-2016-9311

Security Advisory Description ntpd in NTP before 4.2.8p9, when the trap service is enabled, allows remote attackers to cause a denial of service NULL pointer dereference and crash via a crafted packet. CVE-2016-9311 Impact A remote attacker may be able to send a specially crafted packet to cause ...

K05940857: Apache Tomcat vulnerabilities CVE-2017-5650 and CVE-2017-5651

Security Advisory Description CVE-2017-5650 In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOWUPDATE before allowing the application to...

K17309: Linux kernel vulnerability CVE-2015-5366

Security Advisory Description The 1 udprecvmsg and 2 udpv6recvmsg functions in the Linux kernel before 4.0.6 provide inappropriate -EAGAIN return values, which allows remote attackers to cause a denial of service EPOLLET epoll application read outage via an incorrect checksum in a UDP packet, a...

K15319: Linux kernel TTY vulnerability CVE-2014-0196

Security Advisory Description The nttywrite function in drivers/tty/ntty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service memory corruption and system crash or gain privileges by...

K35263486: libarchive vulnerability CVE-2016-8688

Security Advisory Description The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service crash via a crafted file, which triggers an invalid read in the 1 detectform or 2 bidentry function in...

K60350722: Java SE Embedded vulnerability CVE-2018-2814

Security Advisory Description Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE subcomponent: Hotspot. Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker...

K63525058: cURL vulnerability CVE-2020-8284

Security Advisory Description A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doin...

K43223005: PHP vulnerability CVE-2018-5711

Security Advisory Description gdgifin.c in the GD Graphics Library aka libgd, as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the...

K64119434: GNU C Library vulnerability CVE-2009-5155

Security Advisory Description In the GNU C Library aka glibc or libc6 before 2.28, parseregexp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service assertion failure and application exit or trigger an incorrect result by attempting a regular-expression...

K70023694: Linux kernel vulnerability CVE-2021-4154

Security Advisory Description A use-after-free flaw was found in cgroup1parseparam in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container...

K84940705: cURL and libcurl vulnerability CVE-2016-8623

Security Advisory Description A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure. CVE-2016-8623 Impact A use-after-free can occur with shared cookies, allowing a user or process...

K19443402: BIND vulnerability CVE-2021-25216

Security Advisory Description In BIND 9.5.0 - 9.11.29, 9.12.0 - 9.16.13, and versions BIND 9.11.3-S1 - 9.11.29-S1 and 9.16.8-S1 - 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 - 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are...

K76934290: Linux kernel vulnerability CVE-2020-36386

Security Advisory Description An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hcievent.c has a slab out-of-bounds read in hciextendedinquiryresultevt, aka CID-51c19bf3d5cf. CVE-2020-36386 Impact There is no impact; F5 products are not affected by this vulnerability. Securi...

K72255110: MySQL vulnerability CVE-2016-6662

Security Advisory Description Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to creat...

K65230547: Apache Tomcat vulnerabilities CVE-2016-5018, CVE-2016-6794, and CVE-2016-6796

Security Advisory Description CVE-2016-5018 In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web...

K30671731: Apache Shiro vulnerability CVE-2022-40664

Security Advisory Description Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. CVE-2022-40664 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development...

K55051330: Intel BIOS vulnerability CVE-2021-33123

Security Advisory Description Improper access control in the BIOS authenticated code module for some IntelR Processors may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2021-33123 Impact A local attacker logged in as a privileged user can exploit the...

K70052353: Apache Tomcat vulnerability CVE-2021-42340

Security Advisory Description The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connectio...

K65280235: Linux vulnerability CVE-2021-42252

Security Advisory Description An issue was discovered in aspeedlpcctrlmmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka...

K13844002: Linux kernel vulnerability CVE-2021-43057

Security Advisory Description An issue was discovered in the Linux kernel before 5.14.8. A use-after-free in selinuxptracetraceme aka the SELinux handler for PTRACETRACEME could be used by local attackers to cause memory corruption and escalate privileges, aka CID-a3727a8bac0a. This occurs becaus...

K42202505: Linux kernel vulnerability CVE-2018-1120

Security Advisory Description A flaw was found affecting the Linux kernel before version 4.17. By mmaping a FUSE-backed file onto a process's memory containing command line arguments or environment strings, an attacker can cause utilities from psutils or procps such as ps, w or any other program...

K68804133: Apache vulnerability CVE-2017-12171

Security Advisory Description A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd 2.2.15-60, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP...

K63712424: PHP vulnerability CVE-2015-8935

Security Advisory Description The sapiheaderop function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting XSS attacks against...

K42355373: Linux NFS kernel vulnerablity CVE-2020-25212

Security Advisory Description A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452...

K20486351: glibc vulnerability CVE-2017-1000366

Security Advisory Description glibc contains a vulnerability that allows specially crafted LDLIBRARYPATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent...

K78284681: Python tarfile library vulnerability CVE-2019-20907

Security Advisory Description In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because procpax lacks header validation. CVE-2019-20907 Impact A user-created custom Python script utilizing the Python...

K40019131: F5 Access for Android vulnerability CVE-2022-27875

Security Advisory Description A Task Hijacking vulnerability exists in the F5 Access for Android application, which may allow an attacker to steal sensitive user information. CVE-2022-27875 Impact An attacker may be able to exploit this vulnerability by tricking a legitimate user running Android...

K11910343: Linux kernel vulnerability CVE-2021-35039

Security Advisory Description kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIGMODULESIG, verification that a kernel module is signed, for loading via initmodule, does not occur for a module.sigenforce=1 command-line argumen...

K56923528: Linux kernel vulnerability CVE-2013-4343

Security Advisory Description Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAPNETADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call. CVE-2013-4343 Impact There is...

K32059550: Linux kernel vulnerability CVE-2018-20669

Security Advisory Description An issue where a provided address with accessok is not checked was discovered in i915gemexecbuffer2ioctl in drivers/gpu/drm/i915/i915gemexecbuffer.c in the Linux kernel through 4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary...

K17239: Linux kernel vulnerability CVE-2014-9529

Security Advisory Description Race condition in the keygcunusedkeys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service memory corruption or panic or possibly have unspecified other impact via keyctl commands that trigger access to a k...

K17136: Java and JRockit vulnerabilities CVE-2015-0478 and CVE-2015-0488

Security Advisory Description CVE-2015-0478 Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and JRockit R28.3.5, allows remote attackers to affect confidentiality via vectors related to JCE.Per Oracle: Applies to client and server deployment of Java. This vulnerability c...

K8938: BIND DNS cache poisoning vulnerability - CVE-2008-1447 - VU#800113

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F...

K17181: BIND vulnerability CVE-2015-5722

Security Advisory Description Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a...

K86326526: MySQL vulnerabilities CVE-2015-4766, CVE-2015-4904, CVE-2015-4791, and CVE-2015-4807

Security Advisory Description CVE-2015-4766 Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows local users to affect availability via unknown vectors related to Server : Security : Firewall. CVE-2015-4904 Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier...

K000132667: Sudo vulnerability CVE-2023-22809

Security Advisory Description In Sudo before 1.9.12p2, the sudoedit aka -e feature mishandles extra arguments passed in the user-provided environment variables SUDOEDITOR, VISUAL, and EDITOR, allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to...

K000132639: ALPACA: TLS vulnerability CVE-2021-3618

Security Advisory Description ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP...

K14652952: yurex USB driver vulnerability CVE-2018-16276

Security Advisory Description An issue was discovered in yurexread in drivers/usb/misc/yurex.c in the Linux kernel before 4.17.7. Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges...

K14981751: Linux kernel vulnerability CVE-2019-18808

Security Advisory Description A memory leak in the ccprunshacmd function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service memory consumption, aka CID-128c66429247. CVE-2019-18808 Impact There is no impact; F5 products are not affected...

K03755971: BIG-IP DNS resolver vulnerability CVE-2022-28706

Security Advisory Description When the DNS resolver configuration is used, undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. CVE-2022-28706 Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows a remote attacker to cause a...

Intel CPU vulnerability CVE-2021-0103

Insufficient control flow management in the firmware for some IntelR Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVE-2021-0103 Impact An attacker may be able to exploit the Intel processor firmware to gain elevated access to resources...

SOL30216728 - Multiple PHP vulnerabilities

Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...