6413 matches found
SOL9025 - FirePass SNMP DoS vulnerability
This SNMP vulnerability can at most cause DoS of the FirePass SNMP service and cannot cause either unprivileged access to the FirePass controller or DoS of other FirePass services. Information about this advisory is available at the following location: F5 Product Development tracked this issue a...
SOL7827 - tcpdump 3.9.6 vulnerability CVE-2007-3798
For information about this advisory, refer to the Common Vulnerabilities and Exposures website at the following location:...
K000140964: libarchive vulnerabilities CVE-2018-1000877 and CVE-2018-1000878
Security Advisory Description CVE-2018-1000877 libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards release v3.1.0 onwards contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archivereadsupportformatrar.c, parsecodes, reallocrar-lzss.window, newsize wit...
K000139628: Out-of-band Security Notification (May 29, 2024)
Security Advisory Description On May 29, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. You can watch t...
K000139682: Speculative race conditions vulnerability CVE-2024-2193
Security Advisory Description A Speculative Race Condition SRC vulnerability that impacts modern CPU architectures supporting speculative execution related to Spectre V1 has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using ra...
K000139652: Intel CPU vulnerability CVE-2023-23583
Security Advisory Description Sequence of processor instructions leads to unexpected behavior for some IntelR Processors may allow an authenticated user to potentially enable escalation of privilege and/or information disclosure and/or denial of service via local access. CVE-2023-23583 Impact Thi...
K000138732: BIG-IP Next Central Manager OData Injection vulnerability CVE-2024-21793
Security Advisory Description An OData injection vulnerability exists in the BIG-IP Next Central Manager API URI. CVE-2024-21793 Impact An unauthenticated attacker can exploit this vulnerability to execute malicious SQL statements which may allow the attacker to access but not update information...
K000138057: mod_ssl vulnerabilities CVE-2002-1157 and CVE-2002-0653
Security Advisory Description CVE-2002-1157 Cross-site scripting vulnerability in the modssl Apache module 2.8.9 and earlier, when UseCanonicalName is off and wildcard DNS is enabled, allows remote attackers to execute script as other web site visitors, via the server name in an HTTPS response on...
K000137204: Intel BIOS vulnerability CVE-2022-43505
Security Advisory Description Insufficient control flow management in the BIOS firmware for some IntelR Processors may allow a privileged user to potentially enable denial of service via local access. CVE-2022-43505 Impact This vulnerability may allow a privileged user to potentially enable...
K55540723: OpenSSL vulnerability CVE-2015-3196
Security Advisory Description ssl/s3clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service race condition and...
K38110373: Apache Tomcat vulnerability CVE-2014-7810
Security Advisory Description The Expression Language EL implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a...
K29002929: INTEL-SA-00223 - Intel Unified Extensible Firmware Interface CVE-2019-0120
Security Advisory Description Insufficient key protection vulnerability in silicon reference firmware for IntelR PentiumR Processor J Series, IntelR PentiumR Processor N Series, IntelR CeleronR J Series, IntelR CeleronR N Series, IntelR AtomR Processor A Series, IntelR AtomR Processor E3900 Serie...
K32541890: DHCP Client Script Code Execution vulnerability CVE-2018-1111
Security Advisory Description DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP...
K06323049: BIG-IP IPsec ALG vulnerability CVE-2022-29473
Security Advisory Description When an IPSec ALG profile is configured on a virtual server, undisclosed responses can cause the Traffic Management Microkernel TMM to terminate. CVE-2022-29473 Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows an unauthenticated...
K80922332: PHP vulnerability CVE-2015-8866
Security Advisory Description ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxmldisableentityloader changes in other threads, which allows remote attackers to conduct XML External Entity XXE and XML Entity Expansion XEE...
K12896623: glibc vulnerability CVE-2018-1000001
Security Advisory Description In glibc 2.26 and earlier there is confusion in the usage of getcwd by realpath which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. CVE-2018-1000001 Impact There is no impact; F5 products are not affect...
K53737506: Linux kernel vulnerability CVE-2019-19070
Security Advisory Description DISPUTED A memory leak in the spigpioprobe function in drivers/spi/spi-gpio.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service memory consumption by triggering devmaddactionorreset failures, aka CID-d3b0ffa1d75d. NOTE: third parties...
K32734107: BIG-IP APM vulnerability CVE-2021-23052
Security Advisory Description An open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious user to build an open redirect URI. CVE-2021-23052 Impact An unauthenticated attacker can create an open redirect...
K11009429: MySQL vulnerabilities CVE-2018-3170, CVE-2018-3171, CVE-2018-3173, CVE-2018-3174, and CVE-2018-3182
Security Advisory Description CVE-2018-3170 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: DDL. Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols...
K15152: Ruby vulnerability CVE-2013-4164
Security Advisory Description Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a string that is...
K55237223: BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993
Security Advisory Description DOM-based XSS on DoS Profile properties page. CVE-2021-22993 Impact An attacker can inject a malicious script into the BIG-IP Advanced WAF and ASM Configuration utility and trick users into executing malicious code. Security Advisory Status F5 Product Development has...
K02931614: Multiple dnsmasq vulnerabilities
Security Advisory Description CVE-2020-25681 A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid,...
K94730263: Linux kernel vulnerability CVE-2017-17450
Security Advisory Description net/netfilter/xtosf.c in the Linux kernel through 4.14.4 does not require the CAPNETADMIN capability for addcallback and removecallback operations, which allows local users to bypass intended access restrictions because the xtosffingers data structure is shared acros...
K96639388: Overview of F5 vulnerabilities (April 2021)
Security Advisory Description On April 28th, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. The details of each issue can be found in the associate...
K81081046: PHP vulnerabilities CVE-2016-4537 and CVE-2016-4538
Security Advisory Description CVE-2016-4537 The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other...
K77535578: Multiple Java SE client-side vulnerabilities
Security Advisory Description CVE-2016-0636 Unspecified vulnerability in Oracle Java SE 7u97, 8u73, and 8u74 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to the Hotspot sub-component. CVE-2016-0686 Unspecified vulnerability in Oracle...
K15927: BIND vulnerability CVE-2014-8500
Security Advisory Description ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service memory consumption and named crash via a large or infinite number of referrals. CVE-2014-8500...
K52136304: SCSI libsas driver vulnerability CVE-2019-15807
Security Advisory Description In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sasexpander.c when SAS expander discovery fails. This will cause a BUG and denial of service. CVE-2019-15807 Impact There is no impact; F5 products are not affected by this vulnerability...
K16124: OpenSSL vulnerability CVE-2015-0206
Security Advisory Description Memory leak in the dtls1bufferrecord function in d1pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service memory consumption by sending many duplicate records for the next epoch, leading to failure of replay...
K16123: OpenSSL vulnerability CVE-2014-3571
Security Advisory Description OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a crafted DTLS message that is processed with a different read operation for the handshake...
K49440205: Linux kernel vulnerability CVE-2021-38300
Security Advisory Description arch/mips/net/bpfjit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB...
K35232053: PHP vulnerability CVE-2016-7125
Security Advisory Description ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by obje...
K23030550: Linux kernel vulnerability CVE-2016-8399
Security Advisory Description An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged proce...
K41997459: BIG-IP APM XSS vulnerability CVE-2021-23054
Security Advisory Description A reflected cross-site scripting XSS vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system. CVE-2021-23054 Impact An attacker can craft a malicious URL and send it to an authenticated...
K98121587: glibc vulnerability CVE-2021-35942
Security Advisory Description The wordexp function in the GNU C Library aka glibc through 2.33 may crash or read arbitrary memory in parseparam in posix/wordexp.c when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs...
K08037765: Qt vulnerabilities CVE-2018-19869, CVE-2018-19870, CVE-2018-19871, and CVE-2018-19873
Security Advisory Description CVE-2018-19869 An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp. CVE-2018-19870 An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler...
K52171282: BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5529
Security Advisory Description The svpn component of the F5 BIG-IP APM client prior to version 7.1.7 for Linux and Mac OS X runs as a privileged process and can allow an unprivileged user to assume super-user privileges on the local client host. A malicious local unprivileged user may gain knowled...
K23454411: DNS profile vulnerability CVE-2022-26372
Security Advisory Description When a DNS listener is configured on a virtual server with DNS queueing default, undisclosed requests can cause an increase in memory resource utilization. CVE-2022-26372 Impact System performance can degrade until the Traffic Management Microkernel TMM process is...
K97399672: Apache Maven vulnerability CVE-2022-29599
Security Advisory Description In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. CVE-2022-29599 Impact There is no impact; F5 products are not affected by this vulnerability...
K53746212: Sudo vulnerability CVE-2019-14287
Security Advisory Description In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration...
K08044291: OpenSSL vulnerability CVE-2018-0739
Security Advisory Description Constructed ASN.1 types with a recursive definition such as can be found in PKCS7 could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that...
K54252492: Side-channel processor vulnerability CVE-2018-3693
Security Advisory Description Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis. CVE-2018-3693 also known as Spectre ...
K40507733: The BIG-IP APM logon page may expose an XSS security risk
Security Advisory Description This issue occurs when all of the following conditions are met: You configure an authentication, authorization, and accounting AAA agent after a logon page agent in the access policy. You configure the AAA agent with a Max Logon Attempts Allowed value higher than 1...
K15573: OpenSSL DTLS vulnerabilities CVE-2014-3505, CVE-2014-3506, and CVE-2014-3507
Security Advisory Description CVE-2014-3505 Double free vulnerability in d1both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service application crash via crafted DTLS packets that trigger a...
K01051400: Linux kernel vulnerability CVE-2020-14356
Security Advisory Description A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system. CVE-2020-14356 Impact There ...
K11271225: BIND vulnerability CVE-2022-0635
Security Advisory Description Versions affected: BIND 9.18.0 When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check. CVE-2022-0635 Impact There is no impact; F5 products are not affected by this...
K19443402: BIND vulnerability CVE-2021-25216
Security Advisory Description In BIND 9.5.0 - 9.11.29, 9.12.0 - 9.16.13, and versions BIND 9.11.3-S1 - 9.11.29-S1 and 9.16.8-S1 - 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 - 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are...
K27400151: SNMP vulnerability CVE-2019-6613
Security Advisory Description SNMP may expose sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is used with various profile types and is accessed using SNMPv2. CVE-2019-6613 Impact An attacker with direct SNMP access to a BIG-IP system o...
K33548065: Eclipse Jetty vulnerability CVE-2018-12536
Security Advisory Description In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters ca...
K98053339: HTTP/2 Ping Flood vulnerability CVE-2019-9512
Security Advisory Description Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, th...