6294 matches found
SOL14734 - Apache HTTP server vulnerability CVE-2013-2249
Recommended Action To mitigate this vulnerability for ARX, do not enable the API functionality. Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security...
SOL54308010 - PHP vulnerability CVE-2016-7124
Vulnerability Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are...
SOL31211252 - glibc vulnerability CVE-2014-9761
Vulnerability Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are...
SOL15406 - HTTP cookie vulnerability CVE-2004-0462
Vulnerability Recommended Actions If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists. To...
K16907: Apache HTTPD vulnerability CVE-2011-3607
Security Advisory Description Integer overflow in the appregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the modsetenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, ...
K57304814: OpenSSH vulnerability CVE-2016-8858
Security Advisory Description DISPUTED The kexinputkexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service memory consumption by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider...
K09376613: INTEL-SA-00249 - Intel i915 Graphics for Linux vulnerability CVE-2019-11085
Security Advisory Description Insufficient input validation in Kernel Mode Driver in IntelR i915 Graphics for Linux before version 5.0 may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2019-11085 Impact There is no impact; F5 products are not...
K44233515: F5OS-A vulnerability CVE-2022-25990
Security Advisory Description Systems running F5OS-A software may expose certain registry ports externally. CVE-2022-25990 Impact An attacker may be able to exploit this vulnerability to gain read-only access to the Docker registry. Security Advisory Status F5 Product Development has assigned ID...
K43292324: PHP vulnerability CVE-2017-9228
Security Advisory Description An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitsetsetrange during regular expression compilation due to an uninitialized variable from an incorrect...
K80285422: PHP vulnerabilities CVE-2015-4642, CVE-2015-4643, and CVE-2015-4644
Security Advisory Description CVE-2015-4642 The escapeshellarg function in ext/standard/exec.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 on Windows allows remote attackers to execute arbitrary OS commands via a crafted string to an application that accepts command-line...
SOL16558 - Linux kernel vulnerability CVE-2014-8884
Note: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value. Recommended Action None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL995...
K16126: OpenSSL vulnerability CVE-2014-3572
Security Advisory Description The ssl3getkeyexchange function in s3clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message...
K15094237: MySQL vulnerabilities CVE-2022-21460, CVE-2022-21462, CVE-2022-21478, CVE-2022-21479, CVE-2022-21482
Security Advisory Description CVE-2022-21460 Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Logging. Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access...
K80212034: Linux kernel vulnerability CVE-2021-3656
Security Advisory Description A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB virtual machine control block provided by the L1 guest to spawn/handle a nested guest L2. Due to improper validation of the "virtext" field, this...
SOL5004 - Security Advisory: zlib buffer overflow - CAN-2005-2096
Vulnerability description zlib 1.2 and later versions allows remote attackers to cause a denial of service crash via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file. Information...
K50133242: Apache Solr vulnerability CVE-2019-17558
Security Advisory Description Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could...
K13070025: Intel BIOS vulnerabiilties CVE-2021-0159, CVE-2021-0188, CVE-2021-0189, CVE-2021-33103, and CVE-2021-33122
Security Advisory Description CVE-2021-0159 Improper input validation in the BIOS authenticated code module for some IntelR Processors may allow a privileged user to potentially enable aescalation of privilege via local access. CVE-2021-0188 Return of pointer value outside of expected range in th...
SOL46514822 - Linux TCP stack vulnerability CVE-2016-5696
Vulnerability Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are...
SOL17446 - Linux kernel vulnerability CVE-2015-0777
Recommended Action None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5 critical issue...
SOL16864 - SSL/TLS RC4 vulnerability CVE-2015-2808
Refer to the FirePass section of the Vulnerability Recommended Actions section. Vulnerability Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be no...
K14741: OpenSSH vulnerability CVE-2010-5107
Security Advisory Description The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service connection-slot exhaustion by periodically making many n...
K35799130: Multiple PHP vulnerabilities
Security Advisory Description CVE-2016-5399 The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service out-of-bounds write or execute arbitrary code via a crafted bz2 archive. CVE-2016-6291 The...
K14756743: OpenSSH vulnerability CVE-2021-28041
Security Advisory Description ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host. CVE-2021-28041 Impact There is...
K53225395: Node.js vulnerabilities CVE-2021-3672 and CVE-2021-22931
Security Advisory Description CVE-2021-3672 Missing input validation of host names returned by Domain Name Servers DNS in the c-ares library can lead to output of wrong hostnames which may lead to Domain Hijacking. CVE-2021-22931 Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote...
K54450124: NSS vulnerability CVE-2021-43527
Security Advisory Description NSS Network Security Services versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \7, or PKCS \12 are likely to be...
K89010078: Apache vulnerabilities CVE-2018-1307, CVE-2018-1298, CVE-2018-1299, CVE-2018-1287, and CVE-2018-1297
Security Advisory Description CVE-2018-1307 In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and...
K22902581: Apache mod_auth_digest vulnerability CVE-2018-1312
Security Advisory Description In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP...
SOL14228 - OpenSSH vulnerability CVE-2007-2243
Recommended Action None Supplemental Information CVE-2007-2243 SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...
CRIME vulnerability via the SPDY protocol CVE-2012-4930
The SPDY protocol 3, and earlier, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data. This allows man-in-the-middle attackers to obtain plain text HTTP headers by observing length differences during a series of guesses in which a string i...
K14234227: Apache DB DdlUtils vulnerability CVE-2021-41616
Security Advisory Description Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using the ddlutils features. The BinaryObjectsHelper class was insecure an...
K08206127: PHP vulnerability CVE-2016-4072
Security Advisory Description The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the pharanalyzepath function in ext/phar/phar.c...
K81172534: Linux kernel vulnerability CVE-2017-2583
Security Advisory Description The loadsegmentdescriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL selector" instruction, which allows guest OS users to cause a denial of service guest OS crash or gain guest OS privileges via a...
K30184101: OpenSSL Vulnerability CVE-2021-4160
Security Advisory Description There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include...
K10737: SSL Renegotiation vulnerability - CVE-2009-3555 / VU#120541
Security Advisory Description Note : For information about signing up to receive security notice updates from F5, refer to K9970: Subscribe to email notifications regarding F5 products and security announcements. Note : Versions that are not listed in this article have not been evaluated for...
K18549143: OpenSSL vulnerability CVE-2019-1559
Security Advisory Description If an application encounters a fatal protocol error and then calls SSLshutdown twice once to send a closenotify, and once to receive one then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if...
SOL4119 - Buffer overflow in mod_ssl - CVE-2002-0082
Information about this advisory is available at the following location: Note: This link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge...
K67416037: Linux kernel vulnerability CVE-2021-23133
Security Advisory Description A race condition in Linux kernel SCTP sockets net/sctp/socket.c before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctpdestroysock is called without socknetsk-sctp.addrwqlock then an element is...
K30914425: Linux vulnerabilities CVE-2022-0330 and CVE-2022-22942
Security Advisory Description CVE-2022-0330 A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system...
SOL63326092 - NTP vulnerability CVE-2016-7434
Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...
SOL16674 - TLS vulnerability CVE-2015-4000
Note: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value. Vulnerability Recommended Actions If the previous table lists a version in the Versions known to be not vulnerable column...
K67404630: Oracle WebLogic Server vulnerabilities CVE-2018-2894 and CVE-2018-2935
Security Advisory Description CVE-2018-2894 Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware subcomponent: WLS - Web Services. Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticat...
K16090693: Apache HTTP server vulnerability CVE-2021-44224
Security Advisory Description A crafted URI sent to httpd configured as a forward proxy ProxyRequests on can cause a crash NULL pointer dereference or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint...
K39103040: Kernel vulnerability CVE-2018-18955
Security Advisory Description In the Linux kernel 4.15.x through 4.19.x before 4.19.2, mapwrite in kernel/usernamespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAPSYSADMIN in an affected user namespace can bypas...
K44500413: Linux kernel vulnerability CVE-2016-2069
Security Advisory Description Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU. CVE-2016-2069 Impact There is no impact; F5 products are not affected by this vulnerability...
K29691966: PHP vulnerability CVE-2016-5773
Security Advisory Description phpzip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service...
K14027805: Apache vulnerability CVE-2017-15710
Security Advisory Description In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, modauthnzldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is n...
K85932552: OpenJDK vulnerabilities CVE-2022-21540, CVE-2022-21541, and CVE-2022-21549
Security Advisory Description CVE-2022-21540 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition...
K03331206: NTP vulnerability CVE-2016-4955
Security Advisory Description ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service peer-variable clearing and association outage by sending 1 a spoofed crypto-NAK packet or 2 a packet with an incorrect MAC value at a certain time...
SOL14054 - CRIME vulnerability via TLS 1.2 protocol CVE-2012-4929
Vulnerability Recommended Actions To eliminate this vulnerability, perform one of the following actions: Upgrade to a software version that is listed in the Versions known to be Not Vulnerable column of the table. Upgrade your client browser to a non-vulnerable version. Supplemental Information...
K000139084: DNS vulnerability CVE-2023-50868
Security Advisory Description The Closest Encloser Proof aspect of the DNS protocol in RFC 5155 when RFC 9276 guidance is skipped allows remote attackers to cause a denial of service CPU consumption for SHA-1 computations via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. T...