K16124: OpenSSL vulnerability CVE-2015-0206

Security Advisory Description Memory leak in the dtls1bufferrecord function in d1pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service memory consumption by sending many duplicate records for the next epoch, leading to failure of replay...

K16123: OpenSSL vulnerability CVE-2014-3571

Security Advisory Description OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a crafted DTLS message that is processed with a different read operation for the handshake...

K49440205: Linux kernel vulnerability CVE-2021-38300

Security Advisory Description arch/mips/net/bpfjit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB...

K98121587: glibc vulnerability CVE-2021-35942

Security Advisory Description The wordexp function in the GNU C Library aka glibc through 2.33 may crash or read arbitrary memory in parseparam in posix/wordexp.c when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs...

K52171282: BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5529

Security Advisory Description The svpn component of the F5 BIG-IP APM client prior to version 7.1.7 for Linux and Mac OS X runs as a privileged process and can allow an unprivileged user to assume super-user privileges on the local client host. A malicious local unprivileged user may gain knowled...

K15101402: iControl REST vulnerability CVE-2022-1468

Security Advisory Description An authenticated iControl REST user with at least guest role privileges can cause processing delays to iControl REST requests via undisclosed requests. CVE-2022-1468 Impact Processing delays to iControl REST requests can occur until the iControl REST daemon is either...

K23454411: DNS profile vulnerability CVE-2022-26372

Security Advisory Description When a DNS listener is configured on a virtual server with DNS queueing default, undisclosed requests can cause an increase in memory resource utilization. CVE-2022-26372 Impact System performance can degrade until the Traffic Management Microkernel TMM process is...

K41523201: cURL vulnerability CVE-2019-5482

Security Advisory Description Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. CVE-2019-5482 Impact An attacker could cause a denial of service DoS or arbitrary code execution if you use cURL to transfer data to or from a Trivial File Transport Protocol TFTP server and...

K31616043: Linux kernel vulnerability CVE-2021-28660

Security Advisory Description rtwwxsetscan in drivers/staging/rtl8188eu/osdep/ioctllinux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the -ssid array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/ unfinished work;...

K08413011: Linux kernel vulnerability CVE-2019-7221

Security Advisory Description The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. CVE-2019-7221 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported releases...

K97399672: Apache Maven vulnerability CVE-2022-29599

Security Advisory Description In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. CVE-2022-29599 Impact There is no impact; F5 products are not affected by this vulnerability...

K53746212: Sudo vulnerability CVE-2019-14287

Security Advisory Description In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration...

K08044291: OpenSSL vulnerability CVE-2018-0739

Security Advisory Description Constructed ASN.1 types with a recursive definition such as can be found in PKCS7 could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that...

K12132951: Linux kernel vulnerability CVE-2022-0812

Security Advisory Description An information leak flaw was found in NFS over RDMA in the net/sunrpc/xprtrdma/rpcrdma.c in the Linux Kernel. This flaw allows an attacker with normal user privileges to leak kernel information. CVE-2022-0812 Impact There is no impact; F5 products are not affected by...

K97521840: logback vulnerability CVE-2021-42550

Security Advisory Description In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. CVE-2021-42550 Impact There is no impact; F5 products...

K54143451: Java SE JRockit Vulnerability CVE-2018-2794

Security Advisory Description Vulnerability in the Java SE, JRockit component of Oracle Java SE subcomponent: Security. Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to...

K54039800: MatrixSSL vulnerability CVE-2016-6883

Security Advisory Description MatrixSSL before 3.8.3 configured with RSA Cipher Suites allows remote attackers to obtain sensitive information via a Bleichenbacher variant attack. CVE-2016-6883 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status...

K81674333: Ruby vulnerabilities CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325

Security Advisory Description CVE-2019-8322 An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. CVE-2019-8323 An issue was...

K02620788: OpenJDK vulnerabilities CVE-2019-2977, CVE-2019-2996, and CVE-2019-2975

Security Advisory Description CVE-2019-2977 Vulnerability in the Java SE product of Oracle Java SE component: Hotspot. Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to...

K15573: OpenSSL DTLS vulnerabilities CVE-2014-3505, CVE-2014-3506, and CVE-2014-3507

Security Advisory Description CVE-2014-3505 Double free vulnerability in d1both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service application crash via crafted DTLS packets that trigger a...

K57397944: Linux kernel vulnerability CVE-2019-19807

Security Advisory Description In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to sndtimeropen and sndtimercloselocked. The timeri variable was originally intended to be for a newly created timer...

K11271225: BIND vulnerability CVE-2022-0635

Security Advisory Description Versions affected: BIND 9.18.0 When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check. CVE-2022-0635 Impact There is no impact; F5 products are not affected by this...

K13655013: Java vulnerabilities CVE-2018-2825 and CVE-2018-2826

Security Advisory Description CVE-2018-2825 Vulnerability in the Java SE component of Oracle Java SE subcomponent: Libraries. The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to...

K98053339: HTTP/2 Ping Flood vulnerability CVE-2019-9512

Security Advisory Description Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, th...

K30905674: Linux kernel vulnerability CVE-2014-9904

Security Advisory Description The sndcompresscheckinput function in sound/core/compressoffload.c in the ALSA subsystem in the Linux kernel before 3.17 does not properly check for an integer overflow, which allows local users to cause a denial of service insufficient memory allocation or possibly...

K79933541: HTTP2 profile vulnerability CVE-2022-35236

Security Advisory Description When an HTTP2 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. CVE-2022-35236 Impact System performance can degrade until the TMM process is either forced to restart or is manually restarted. This...

K16025: Linux kernel SCTP vulnerability CVE-2014-3688

Security Advisory Description The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service memory consumption by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c...

K11155549: IPSEC vulnerability CVE-2019-14899

Security Advisory Description A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine...

K15131064: Node.js vulnerability CVE-2018-7162

Security Advisory Description All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service DoS by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpecte...

K57735782: NGINX Controller API Management vulnerability CVE-2022-23008

Security Advisory Description An authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. CVE-2022-23008 Impact Successful exploitation...

K51931024: Linux kernel vulnerability CVE-2017-1000364

Security Advisory Description An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over the stack guard page is bypassed, this affects Linux Kernel versions 4.11.5 and earlier the stackguard page was...

K42801711: node-ipc vulnerability CVE-2022-23812

Security Advisory Description This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. Note: from versions 11.0.0 onwards, instead of having...

K94142349: BIG-IP Advanced WAF and ASM WebSocket security exposure

Security Advisory Description BIG-IP Advanced WAF and ASM incorrectly handle certain WebSocket requests. This issue occurs when the following condition is met: BIG-IP Advanced WAF or ASM handles a malicious WebSocket message. Impact The attack signature check fails to detect and block requests, a...

K33484483: F5OS vulnerability CVE-2022-41835

Security Advisory Description Excessive file permissions in F5OS allow an authenticated local attacker to execute a limited set of commands in a container and impact the F5OS controller. CVE-2022-41835 Impact An authenticated low-privileged attacker with CLI access can exploit this vulnerability...

K76328112: BIG-IP TMM vulnerability CVE-2019-6683

Security Advisory Description BIG-IP virtual servers with Loose Initiation enabled on a FastL4 profile may be subject to excessive flow usage under undisclosed conditions. CVE-2019-6683 Impact This vulnerability is present only on BIG-IP Virtual Edition VE systems with limited bandwidth licenses...

K86075480: Java SE vulnerability CVE-2018-3214

Security Advisory Description Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Sound. Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows...

K52494562: BIG-IP software SYN cookies vulnerability CVE-2022-36795

Security Advisory Description When an LTM TCP profile configured on a virtual server has the Auto Receive Window option enabled, undisclosed traffic can cause the virtual server to stop processing new client connections. CVE-2022-36795 Impact Traffic is disrupted for new IP requests. This...

K91326803: Linux kernel vulnerability CVE-2021-38201

Security Advisory Description net/sunrpc/xdr.c in the Linux kernel before 5.13.4 allows remote attackers to cause a denial of service xdrsetpagebase slab-out-of-bounds access by performing many NFS 4.2 READPLUS operations. CVE-2021-38201 Impact There is no impact; F5 products are not affected by...

K56551263: tcpdump vulnerability CVE-2018-14880

Security Advisory Description The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in print-ospf6.c:ospf6printlshdr. CVE-2018-14880 Impact An attacker can gain access to sensitive information and can also cause a denial of service DoS. Security Advisory Status F5 Product Development h...

K22854723: Poppler vulnerability CVE-2018-10768

Security Advisory Description There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h in an Ubuntu package for Poppler 0.24.5. A crafted input will lead to a remote denial of service attack. Later Ubuntu packages such as for Poppler 0.41.0 are not affected...

K49160100: Apache Tomcat vulnerability CVE-2016-6817

Security Advisory Description The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible. CVE-2016-6817 Impact There is no impact; F5...

K16869: logrotate vulnerability CVE-2011-1098

Security Advisory Description Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier allows local users to read log data by opening a file before the intended permissions are in place. CVE-2011-1098 Impact May allow a local user to read log data by opening a...

K73183618: BIG-IP APM Portal Access vulnerability CVE-2020-5853

Security Advisory Description In BIG-IP APM Portal Access, HTTP pages that are served by back-end servers and have special JavaScript code may cause internal name conflicts. CVE-2020-5853 Impact BIG-IP APM An attacker who can control JavaScript code served by back-end servers may bypass the...

K4583: Insufficient validation of ICMP error messages VU#222750 / CVE-2004-0790 (9.x - 10.x)

Security Advisory Description This article applies to BIG-IP 9.x through 10.x. However, a regression for this vulnerability was introduced in later BIG-IP versions. For information about other versions, refer to the following article: K23440942: Insufficient validation of ICMP error messages...

K53214222: midi kernel driver vulnerability CVE-2018-10902

Security Advisory Description It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc double free in sndrawmidiinputparams and sndrawmidioutputstatus which are part of sndrawmidiioctl handler in rawmidi.c file. A malicious local...

K24734336: PHP vulnerabilities CVE-2016-4542, CVE-2016-4543, and CVE-2016-4544

Security Advisory Description CVE-2016-4542 The exifprocessIFDTAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a denial of service out-of-bounds read or possibly...

K16515: JBoss vulnerability CVE-2015-0279

Security Advisory Description JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language EL expressions and execute arbitrary Java code via the do parameter. CVE-2015-0279 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Stat...

K15936: NTP vulnerability CVE-2014-9295

Security Advisory Description Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to 1 the cryptorecv function when the Autokey Authentication feature is used, 2 the ctlputdata function, and 3 the configu...

K74413297: Linux kernel vulnerability CVE-2014-3184

Security Advisory Description The reportfixup functions in the HID subsystem in the Linux kernel before 3.16.2 might allow physically proximate attackers to cause a denial of service out-of-bounds write via a crafted device that provides a small report descriptor, related to 1...

K07550539: TMM with LRO vulnerability CVE-2018-15311

Security Advisory Description When Large Receive Offload LRO is enabled, undisclosed traffic patterns may cause TMM to restart. LRO has been available since 11.4.0 but is not enabled by default until 13.1.0 for all platforms and 12.0.0 for Virtual Edition. CVE-2018-15311 Impact An attacker may be...