K15885: GNU C Library vulnerability CVE-2011-1071

Security Advisory Description The GNU C Library aka glibc or libc6 before 2.12.2 and Embedded GLIBC EGLIBC allow context-dependent attackers to execute arbitrary code or cause a denial of service memory consumption via a long UTF8 string that is used in an fnmatch call, aka a "stack extension...

K12650: PHP vulnerability CVE-2010-4645

Security Advisory Description Note : For information about signing up to receive security notice updates from F5, refer to K9970: Subscribe to email notifications regarding F5 products and security announcements. Note : Versions that are not listed in this article have not been evaluated for...

K16285: OpenSSL vulnerability CVE-2012-2110

Security Advisory Description The asn1d2ireadbio function in crypto/asn1/ad2ifp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service memory...

K6806: ClamAV UPX heap overflow Vulnerability - CVE-2006-4018

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F...

K8837: OpenSSL DTLS off-by-one error - CVE-2007-4995

Security Advisory Description Note : Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the ...

K54431371: BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546

Security Advisory Description The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host. CVE-2018-5546 Impact A...

K20226900: F5 WebSafe Dashboard vulnerability CVE-2018-5545

Security Advisory Description A malicious, authenticated user can execute code on the F5 WebSafe Alert Server by using a maliciously crafted payload. CVE-2018-5545 Impact F5 WebSafe Alert Server An attacker with an authenticated account may be able to perform a malicious remote code execution on...

K44453423: IP-in-IP Packet Processing vulnerability CVE-2020-10136

Security Advisory Description Multiple products that implement the IP Encapsulation within IP standard RFC 2003, STD 1 decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface an...

K36784855: Apache Tomcat vulnerability CVE-2016-0762

Security Advisory Description The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to...

K06015902: Intel AMT vulnerabilities CVE-2020-0531, CVE-2020-0532, and CVE-2020-0535

Security Advisory Description CVE-2020-0531 Improper input validation in IntelR AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an authenticated user to potentially enable information disclosure via network access. CVE-2020-0532 Improper input validation in subsystem for...

K81556107: Intel processors vulnerabilities CVE-2019-0123 and CVE-2019-0124

Security Advisory Description CVE-2019-0123 Insufficient memory protection in IntelR 6th Generation Core Processors and greater, supporting SGX, may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2019-0124 Insufficient memory protection in IntelR 6th...

K46552732: Wget vulnerability CVE-2017-13089

Security Advisory Description The http.c:skipshortbody function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol to read each chunk's length, but doesn't check that the chunk length is a...

K25160703: BIG-IP AFM vulnerability CVE-2020-5920

Security Advisory Description A vulnerability in the BIG-IP AFM Configuration utility may allow any authenticated BIG-IP user to perform a read-only blind SQL injection attack. CVE-2020-5920 Impact An attacker may be able to extract table name enumeration and user account names. All other data...

K15551553: OpenSSL vulnerability CVE-2017-3730

Security Advisory Description In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack...

K17551: Linux kernel vulnerability CVE-2014-9419

Security Advisory Description The switchto function in arch/x86/kernel/process64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage TLS descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection...

K57201259: Intel SGX vulnerabilities CVE-2019-14565, CVE-2019-14566

Security Advisory Description CVE-2019-14565 Insufficient initialization in IntelR SGX SDK Windows versions 2.4.100.51291 and earlier, and Linux versions 2.6.100.51363 and earlier, may allow an authenticated user to enable information disclosure, escalation of privilege or denial of service via...

K51539421: BIG-IP SIP ALG profile vulnerability CVE-2022-26370

Security Advisory Description When a Session Initiation Protocol SIP message routing framework MRF application layer gateway ALG profile is configured on a Message Routing virtual server, undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. CVE-2022-26370 Impact...

K15405135: GO vulnerability CVE-2021-3114

Security Advisory Description In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. CVE-2021-3114 Impact There is no impact; F5 products are not...

K24301698: TMUI XSS vulnerability CVE-2021-23027

Security Advisory Description A DOM based cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. CVE-2021-23027 Impact An attacker may exploit this...

K73370428: Linux kernel vulnerability CVE-2021-34866

Security Advisory Description This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.14-rc3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific fla...

K55518036: GO vulnerability CVE-2021-31525

Security Advisory Description net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service panic via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. CVE-2021-31525 Impact There...

K62477129: MySQL vulnerability CVE-2016-5584

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.5.52 and earlier, 5.6.33 and earlier, and 5.7.15 and earlier allows remote administrators to affect confidentiality via vectors related to Server: Security: Encryption. CVE-2016-5584 Impact There is no impact; F5 products a...

K44070243: OpenSSL vulnerability CVE-2019-1549

Security Advisory Description OpenSSL 1.1.1 introduced a rewritten random number generator RNG. This was intended to include protection in the event of a fork system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being...

K00498403: Libgcrypt vulnerability CVE-2021-3345

Security Advisory Description gcrymdblockwrite in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later. CVE-2021-3345 Impact There is no impact; F5 products are not...

K34369533: Node.js vulnerability CVE-2018-7161

Security Advisory Description All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service DoS by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner th...

K72376285: Poppler vulnerability CVE-2017-18267

Security Advisory Description The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of service infinite recursion via a crafted PDF file, as demonstrated by pdftops. CVE-2017-18267 Impact There is no impact; F5 products are not...

K43084130: BIND vulnerability CVE-2018-5735

Security Advisory Description The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858; Affects Debian versions 9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1 No ISC releases are affected. Other packages from other...

K53931245: BIG-IP SSL profile vulnerability CVE-2018-5524

Security Advisory Description Under certain conditions, virtual servers configured with Client SSL or Server SSL profiles that make use of network hardware security module HSM functionality are exposed and impacted by this issue. CVE-2018-5524 Impact Malformed Transport Layer Security TLS request...

K17528: NTP vulnerability CVE-2015-7850

Security Advisory Description ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service infinite loop or crash by pointing the key file at the log file. CVE-2015-7850 Impact Under certain specific conditions, an attacker can send a se...

K13279: PHP vulnerability CVE-2009-4017

Security Advisory Description Prior to PHP 5.2.12, and in the 5.3.x branch prior to 5.3.1, the scripting language does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial-of-service resource exhaustio...

K58235223: BIG-IP APM access policy vulnerability CVE-2022-35245

Security Advisory Description When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel TMM to terminate. CVE-2022-35245 Impact Traffic is disrupted while TMM restarts. This vulnerability allows an attacker to cause a...

K22415133: cURL vulnerability CVE-2021-22898

Security Advisory Description curl 7.7 through 7.76.1 suffers from an information disclosure when the -t command line option, known as CURLOPTTELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEWENV variables, libcur...

K84884003: rsyslog vulnerability CVE-2019-17040

Security Advisory Description contrib/pmdb2diag/pmdb2diag.c in Rsyslog v8.1908.0 allows out-of-bounds access because the level length is mishandled. CVE-2019-17040 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has...

K22317030: iControl REST vulnerability CVE-2017-6145

Security Advisory Description iControl REST includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens...

K38742515: NTP vulnerability CVE-2018-7182

Security Advisory Description The ctlgetitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service out-of-bounds read via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10. CVE-2018-7182 Impact There is no impact; F5 products a...

K37121474: Binutils vulnerability CVE-2019-9073

Security Advisory Description An issue was discovered in the Binary File Descriptor BFD library aka libbfd, as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in bfdelfslurpversiontables in elf.c. CVE-2019-9073 Impact There is no impact; F5 products are not affect...

K10224912: PostgreSQL vulnerability CVE-2019-10208

Security Advisory Description A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE...

K61186963: cURL vulnerability CVE-2020-8285

Security Advisory Description curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. CVE-2020-8285 Impact A malicious FTP server can trigger a stack overflow and cause a denial-of-service DoS on the F5 product that ...

K71080411: Linux kernel vulnerability CVE-2021-4155

Security Advisory Description A data leak flaw was found in the way XFSIOCALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them. CVE-2021-4155 Impact Ther...

K02652550: OpenSSL vulnerability CVE-2016-2180

Security Advisory Description The TSOBJprintbio function in crypto/ts/tslib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol TSP implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service out-of-bounds read and application crash via a crafted...

K24248011: Traffix SDC Configuration utility vulnerability CVE-2022-27662

Security Advisory Description A stored Cross-Site Template Injection vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute template language-specific instructions in the context of the server. CVE-2022-27662 Impact If successful, a...

K05125306: glibc vulnerability CVE-2016-1234

Security Advisory Description Stack-based buffer overflow in the glob implementation in GNU C Library aka glibc before 2.24, when GLOBALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service crash via a long name. CVE-2016-1234. Impact This vulnerability may allow a...

K32450233: Linux kernel vulnerability CVE-2018-20854

Security Advisory Description An issue was discovered in the Linux kernel before 4.20. drivers/phy/mscc/phy-ocelot-serdes.c has an off-by-one error with a resultant ctrl-phys out-of-bounds read. CVE-2018-20854 Impact There is no impact; F5 products are not affected by this vulnerability. Security...

K97285349: XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469

Security Advisory Description A stored cross-site scripting XSS vulnerability in the BIG-IP Configuration utility device name change page allows an authenticated user to inject arbitrary web script or HTML. Exploitation requires Resource Administrator or Administrator privileges, and it could cau...

K00843201: Grafana vulnerability CVE-2019-15043

Security Advisory Description In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. CVE-2019-15043 Impact An unauthorized user may be able to leverage the Grafana...

K46401178: BIG-IP Configuration utility vulnerability CVE-2019-6599

Security Advisory Description Improper escaping of values in an undisclosed page of the BIG-IP Configuration utility may result in an improper handling on the JSON response when it is injected by a malicious script through a remote cross-site scripting XSS attack. CVE-2019-6599 Impact BIG-IP and...

K68609614: Linux kernel vulnerability CVE-2011-0699

Security Advisory Description Integer signedness error in the btrfsioctlspaceinfo function in the Linux kernel 2.6.37 allows local users to cause a denial of service heap-based buffer overflow or possibly have unspecified other impact via a crafted slot value. CVE-2011-0699 Impact There is no...

K05211147: Kernel vulnerabilities CVE-2014-8559, CVE-2015-0275, CVE-2015-1333, CVE-2015-3212, and CVE-2015-4700

Security Advisory Description CVE-2014-8559 The dwalk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of renamelock, which allows local users to cause a denial of service deadlock and system hang via a crafted application. CVE-2015-0275 The...

K93543114: BIG-IP APM vulnerability CVE-2022-27181

Security Advisory Description When APM is configured on a virtual server and the associated access profile is configured with APM AAA NTLM Auth, undisclosed requests can cause an increase in internal resource utilization. CVE-2022-27181 Impact System performance can degrade while the system is...

K03534020: PHP vulnerability CVE-2016-5767

Security Advisory Description Integer overflow in the gdImageCreate function in gd.c in the GD Graphics Library aka libgd before 2.0.34RC1, as used in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8, allows remote attackers to cause a denial of service heap-based buffer overflow and...