K43404629: F5 SSH server key size vulnerability CVE-2020-5917

Security Advisory Description The BIG-IP and BIG-IQ host OpenSSH servers use keys less than 2048 bits that are no longer considered secure. CVE-2020-5917 Impact The BIG-IP system may be vulnerable to man-in-the-middle attacks and/or insecure SSH communications. Some security scanners, such as the...

K22113131: BIG-IP TMM Ram Cache vulnerability CVE-2020-5861

Security Advisory Description The TMM process may produce a core file in some cases when Ram Cache incorrectly optimizes stored data resulting in memory errors. RAM Cache is a BIG-IP feature used to accelerate HTTP traffic and can be enabled in a Web Acceleration profile. CVE-2020-5861 Impact The...

K25414045: Intel server board vulnerability CVE-2018-3682

Security Advisory Description BMC Firmware in Intel server boards, compute modules, and systems potentially allow an attacker with administrative privileges to make unauthorized read\writes to the SMBUS. CVE-2018-3682 Impact There is no impact; F5 products are not affected by this vulnerability...

K15401: OpenSSL vulnerability CVE-2012-2333

Security Advisory Description Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service buffer over-read or possibly have unspecified other impact via a...

K54200228: BIG-IP iRules vulnerability CVE-2020-5877

Security Advisory Description Malformed input to the DATAGRAM::tcp iRules command within a FLOWINIT event may lead to a denial of service. CVE-2020-5877 Impact Remote attackers may be able to perform a denial-of-service DoS attack on the BIG-IP system. Security Advisory Status F5 Product...

K38315305: FreeType vulnerability CVE-2015-9290

Security Advisory Description In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1GetPrivateDict where there is no check that the new values of cur and limit are sensible before going to Again. CVE-2015-9290 Impact A local unprivileged attacker can perform a...

K42534513: Multiple PeopleSoft Enterprise PeopleTools vulnerabilities

Security Advisory Description CVE-2018-3129 Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products subcomponent: Portal. Supported versions that are affected are 8.55, 8.56 and 8.57. Easily exploitable vulnerability allows unauthenticated attacker with...

K14712: The BIG-IP APM access policy logout page may be vulnerable to XSS cookie tampering CVE-2013-5976

Security Advisory Description Description The BIG-IP APM access policy logout page may be vulnerable to cross-site scripting XSS. Impact XSS protection in the BIG-IP APM access policy logout page may be insufficient. Security Advisory Status F5 Product Development tracked this vulnerability as ID...

K88474783: BIG-IP DoS profile vulnerability CVE-2020-5879

Security Advisory Description Under certain configurations, the BIG-IP system sends data plane traffic to back-end servers unencrypted, even when a Server SSL profile is applied. CVE-2020-5879 Impact The affected system sends some requests to the back-end server without encryption, possibly leaki...

K59145983: Intel CSME and SPS vulnerability CVE-2019-0090

Security Advisory Description Insufficient access control vulnerability in subsystem for IntelR CSME before version 12.0.35, IntelR SPS before version SPSE305.00.04.027.0 may allow unauthenticated user to potentially enable escalation of privilege via physical access. CVE-2019-0090 Impact Traffix...

K13434228: Apache Struts vulnerability CVE-2012-0392

Security Advisory Description The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method...

K05052081: NodeJS vulnerability CVE-2015-8854

Security Advisory Description The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service CPU consumption via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service ReDoS." CVE-2015-885...

K18491258: Cluster component of Oracle MySQL vulnerabilities CVE-2016-5541, CVE-2017-3321, CVE-2017-3322, and CVE-2017-3323

Security Advisory Description CVE-2016-5541 Vulnerability in the MySQL Cluster component of Oracle MySQL subcomponent: Cluster: NDBAPI. Supported versions that are affected are 7.2.26 and earlier, 7.3.14 and earlier and 7.4.12 and earlier. Difficult to exploit vulnerability allows unauthenticated...

K23720587: Apache Solr vulnerability CVE-2019-12409

Security Advisory Description The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLEREMOTEJMXOPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX...

K60381308: Intel CPU vulnerability CVE-2018-3655

Security Advisory Description A vulnerability in a subsystem in Intel CSME before version 11.21.55, Intel Server Platform Services before version 4.0 and Intel Trusted Execution Engine Firmware before version 3.1.55 may allow an unauthenticated user to potentially modify or disclose information v...

K31833420: Multiple Oracle Java SE vulnerabilities

Security Advisory Description CVE-2022-21305 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and...

K48209417: PostgreSQL vulnerabilities CVE-2018-10915 and CVE-2018-10925

Security Advisory Description CVE-2018-10915 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrust...

K04154823: Oracle Java SE vulnerability CVE-2019-2426

Security Advisory Description Vulnerability in the Java SE component of Oracle Java SE subcomponent: Networking. Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network acce...

K25033460: TMM vulnerability CVE-2017-6133

Security Advisory Description In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, undisclosed HTTP requests may cause a denial of service. CVE-2017-6133 Impact The Traffic Management Microkernel TMM generates a core...

K16781: Linux kernel vulnerability CVE-2014-3535

Security Advisory Description Description include/linux/netdevice.h in the Linux kernel before 2.6.36 incorrectly uses macros for netdevprintk and its related logging implementation, which allows remote attackers to cause a denial of service NULL pointer dereference and system crash by sending...

K15931: Unbound vulnerability CVE-2014-8602

Security Advisory Description iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service memory and CPU consumption via a large or infinite number of referrals. CVE-2014-8602 Impact An attacker with a properly...

K45611803: TMM vulnerability CVE-2018-5530

Security Advisory Description F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.1 virtual servers with HTTP/2 profiles enabled are vulnerable to "HPACK Bomb". CVE-2018-5530 Impact HPACK bombs are designed to consume an abnormal amount of memory resources on a target system, which can...

K77508618: Multiple Oracle MySQL vulnerabilities

Security Advisory Description CVE-2016-0502 Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. CVE-2016-0505 Unspecified vulnerability in Oracle MySQL 5.5.46 and...

K8920: Linux kernel vulnerability CVE-2007-2876

Security Advisory Description Note : Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the ...

K42558402: Linux kernel vulnerability CVE-2018-5814

Security Advisory Description In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple U...

K06223540: F5 TCP vulnerability CVE-2015-8240

Security Advisory Description The Traffic Management Microkernel TMM in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, and BIG-IP PEM before 11.4.1 HF10, 11.5.x before 11.5.4, and 11.6.x before 11.6.0 HF6 and BIG-IP PSM before 11.4.1 HF10 does not properly handle TCP options,...

K14154: SQL injection vulnerability from an authenticated source CVE-2012-3000

Security Advisory Description An SQL injection vulnerability exists in a BIG-IP component. This local vulnerability may allow an authenticated attacker to download arbitrary files from the file system. Impact An attacker may be able to exploit the vulnerability and retrieve arbitrary files or...

K3369: TCP reassembly queue vulnerability CAN-2004-0171

Security Advisory Description Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5...

K15928: Network Time Protocol vulnerability CVE-2009-1252

Security Advisory Description Stack-based buffer overflow in the cryptorecv function in ntpcrypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field...

K16341: Linux kernel Controller Area Network (CAN) vulnerability CVE-2010-2959

Security Advisory Description Integer overflow in net/can/bcm.c in the Controller Area Network CAN implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of...

K17057: QEMU vulnerabilities CVE-2015-3214, CVE-2015-5154, and CVE-2015-5158

Security Advisory Description CVE-2015-3214 An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pitioportread function. A privileged guest user in a QEMU guest, which had QEMU PIT emulation enabled, could potentially, in rare case...

K15642: Samba vulnerability CVE-2013-4476

Security Advisory Description Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local...

K2888: DNS cache poisoning vulnerability CVE-2003-0914

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, see K4602: Overview of the F5...

K41107914: iControl REST vulnerability CVE-2016-9251

Security Advisory Description In F5 BIG-IP 12.0.0 through 12.1.2, an authenticated attacker may be able to cause an escalation of privileges through a crafted iControl REST connection. CVE-2016-9251 Impact An authenticated attacker may be able to cause an escalation of privileges through a crafte...

K17444: libXfont vulnerabilities CVE-2015-1802, CVE-2015-1803, and CVE-2015-1804

Security Advisory Description CVE-2015-1802 The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 allows remote authenticated users to cause a denial of service out-of-bounds write and crash or possibly execute arbitrary code via a 1 negative or ...

K23520761: BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505

Security Advisory Description On F5 BIG-IP 13.1.0 - 13.1.0.3, when ASM and one or more of these modules AFM/AVR are provisioned, the Traffic Management Microkernel TMM may restart while processing DNS requests when the virtual server is configured with a DNS profile and the Protocol setting is se...

K26430555: MySQL vulnerability CVE-2016-5625

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Packaging. CVE-2016-5625 Impact There is no impact; F5 products are not affected by this vulnerabilit...

K09092524: Binutils vulnerability CVE-2019-9074

Security Advisory Description An issue was discovered in the Binary File Descriptor BFD library aka libbfd, as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfdgetl32 in libbfd.c, when called from pex64getruntimefunction in pei-x8664.c. CVE-2019-9074 Impact...

K02884135: Binutils vulnerability CVE-2019-9071

Security Advisory Description An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in dcounttemplatesscopes in cp-demangle.c after many recursive calls. CVE-2019-9071 Impact There is no impact; F5 products are not affected by this...

K44873550: Apache Storm vulnerability CVE-2021-38294

Security Advisory Description A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution RCE prior to authentication...

K61002104: BIG-IP AFM and PEM TMUI XSS vulnerability CVE-2019-6639

Security Advisory Description Undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting XSS issue. This is a control plane issue only and is not accessible from the data plane. The attack requires a malicious resource administrator to store the...

K05314769: BIG-IP Advanced WAF and ASM WebSocket vulnerability CVE-2021-23033

Security Advisory Description When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. CVE-2021-23033 Impact Traffic is disrupted while the bd process restarts. This vulnerability allows a remote attacker to cause a denial-of-service DoS on the...

K41020865: MySQL vulnerability CVE-2016-8286

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows remote authenticated users to affect confidentiality via vectors related to Server: Security: Privileges. CVE-2016-8286 Impact There is no impact; F5 products are not affected by this vulnerability...

K95120415: NGINX Controller AVRD vulnerability CVE-2020-5895

Security Advisory Description AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault SIGSEGV by writing malformed messages to the...

K19361245: BIG-IP TMM vulnerability CVE-2017-6158

Security Advisory Description The Traffic Management Microkernel TMM has a vulnerability related to the handling of invalid IP addresses. CVE-2017-6158 This issue is exposed only when all of the following conditions are met: You have disabled the Auto Last Hop setting at the Virtual Server, VLAN,...

K50543013: libarchive vulnerability CVE-2017-5601

Security Advisory Description An error in the lhareadfileheader1 function archivereadsupportformatlha.c in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. CVE-2017-5601 Impact No F5 products ar...

K31404801: F5 BIG-IP TMM vulnerability CVE-2017-6169

Security Advisory Description In versions 13.0.0, 12.0.0-12.1.3, or 11.6.0-11.6.2, an F5 BIG-IP virtual server using the URL categorization feature may cause the Traffic Management Microkernel TMM to produce a core file when it receives malformed URLs during categorization. CVE-2017-6169. Impact ...

K17663061: BIG-IP SSL state mirroring vulnerability CVE-2020-5885

Security Advisory Description BIG-IP systems set up for connection mirroring in a high availability HA pair transfer sensitive cryptographic objects over an insecure communications channel. This is a control plane issue which is exposed only on the network used for connection mirroring...

K52420610: Advanced WAF and BIG-IP ASM TMUI vulnerability CVE-2021-23029

Security Advisory Description Insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery SSRF attacks through F5 Advanced Web Application Firewall WAF and the BIG-IP ASM Configuration utility. CVE-2021-23029 Impact An attacker with...

K71265658: Intel CSME vulnerability CVE-2019-0153

Security Advisory Description Buffer overflow in subsystem in IntelR CSME 12.0.0 through 12.0.34 may allow an unauthenticated user to potentially enable escalation of privilege via network access. CVE-2019-0153 Impact An attacker can exploit this vulnerability with Converged Security and Manageme...