SOL8508 - Cross-site scripting vulnerability in installControl.php3 page

A cross-site scripting XSS vulnerability exists in the FirePass installControl.php3 page, which is accessible prior to authentication. The installControl.php3 page fails to fully sanitize URL input before the web page content is sent to the browser. It is possible for an attacker to create web...

SOL6806 - ClamAV UPX heap overflow Vulnerability - CVE-2006-4018

The FirePass controller can be configured to provide anti-virus scanning of files uploaded through Portal Access through the ClamAV open source software. A vulnerability in ClamAV 0.88.4 and earlier versions could allow a remote attacker to crash the scanner process or execute code remotely using...

K000156685: Multiple ImageMagick vulnerabilities

Security Advisory Description CVE-2014-9808 ImageMagick allows remote attackers to cause a denial of service segmentation fault and application crash via a crafted dpc image. CVE-2014-9809 ImageMagick allows remote attackers to cause a denial of service segmentation fault and application crash vi...

K000149329: PostgreSQL vulnerabilities CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, and CVE-2014-0063

Security Advisory Description CVE-2014-0060 PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users t...

K000148349: Spring framework vulnerability CVE-2024-38819

Security Advisory Description The cve record for the cve id does not exist. CVE-2024-38819 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported releases for potential vulnerability, and...

K000148279: CUPS vulnerability CVE-2024-47850

Security Advisory Description CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. The request is meant to probe the new printer bu...

K000141358: Multiple libpng vulnerabilities

Security Advisory Description CVE-2016-3751 Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining...

K000141301: Perl vulnerability CVE-2018-6913

Security Advisory Description Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count. CVE-2018-6913 Impact An attacker may be able to execute arbitrary code on the system. Security Advisory Status F...

K000140742: MySQL vulnerability CVE-2024-21179

Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...

K000140732: BIND vulnerability CVE-2024-1737

Security Advisory Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname of any RTYPE can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects...

K000140006: BIG-IP Next Central Manager vulnerability CVE-2024-41719

Security Advisory Description When you generate a QKView file of a BIG-IP Next instance from the BIG-IP Next Central Manager, F5 iHealth credentials are logged in the BIG-IP Central Manager log file. CVE-2024-41719 Impact The F5 iHealth credentials entered on the BIG-IP Next Central Manager to...

K000140695: PHP vulnerability CVE-2024-5458

Security Advisory Description In PHP versions 8.1. before 8.1.29, 8.2. before 8.2.20, 8.3. before 8.3.8, due to a code logic error, filtering functions such as filtervar when validating URLs FILTERVALIDATEURL for certain types of URLs the function will result in invalid user information username ...

K000138913: BIG-IP Next CNF vulnerability CVE-2024-28132

Security Advisory Description Exposure of a Sensitive Information vulnerability exists in the Global Server Load Balancing GSLB container, which may allow an authenticated attacker with administrator role privileges to view sensitive information. CVE-2024-28132 Impact An authenticated attacker ma...

K000138047: BIG-IP Advanced WAF and BIG-IP ASM Configuration utility vulnerability CVE-2024-23603

Security Advisory Description A SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. CVE-2024-23603 Impact A highly privileged authenticated attacker can exploit this vulnerability to execute malicious SQL statements through the BIG-IP Configuration...

K000138050: Apache Tomcat vulnerability CVE-2023-41081

Security Advisory Description Important: Authentication Bypass CVE-2023-41081 The modjk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied...

K000135853: Dell BSAFE Micro Edition vulnerability CVE-2020-35168

Security Advisory Description Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. CVE-2020-35168 Impact There is no impact; F5 products are not affected by this vulnerability...

K000135251: Apache Struts vulnerability CVE-2023-34396

Security Advisory Description Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater CVE-2023-34396 Impact There is no impact; F5...

K000134579: OpenJDK vulnerabilities CVE-2019-2818 and CVE-2019-2821

Security Advisory Description CVE-2019-2818 Vulnerability in the Java SE component of Oracle Java SE subcomponent: Security. Supported versions that are affected are Java SE: 11.0.3 and 12.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple...

K000133652: Python vulnerability CVE-2018-18074

Security Advisory Description The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. CVE-2018-18074 Impact Fo...

K43945001: F5 TMM vulnerability CVE-2017-6147

Security Advisory Description An undisclosed type of responses may cause TMM to restart, causing an interruption of service when "SSL Forward Proxy" setting is enabled in both the Client and Server SSL profiles assigned to a BIG-IP Virtual Server. CVE-2017-6147 Impact If the SSL Forward Proxy...

K62201098: BADoS vulnerability CVE-2018-5526

Security Advisory Description Under certain conditions, Behavioral DoS BADoS protection may fail during an attack. CVE-2018-5526 Impact BADoS protection does not function as intended. Security Advisory Status F5 Product Development has assigned IDs 714350 and 714369 BIG-IP to this vulnerability. ...

K12234501: BIG-IP virtual server vulnerability CVE-2020-5883

Security Advisory Description When a virtual server is configured with HTTP explicit proxy and has an attached HTTPPROXYREQUEST iRule, POST requests sent to the virtual server cause an xdata memory leak. CVE-2020-5883 Impact The BIG-IP system may become vulnerable to conditions that result when i...

K4256: RADIUS integer overflow vulnerability CAN-2005-0108

Security Advisory Description Apache modauthradius 1.5.4 and libpam-radius-auth allow remote malicious RADIUS servers to cause a denial of service crash via a RADIUSREPLYMESSAGE with a RADIUS attribute length of 1, which leads to a memcpy operation with a -1 length argument. Note: Versions that a...

K17597093: 389-ds-base vulnerability CVE-2017-15135

Security Advisory Description It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0.3 did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the...

K14632915: TMM vulnerability CVE-2019-6603

Security Advisory Description Malformed TCP packets sent to a self IP address or a FastL4 virtual server may cause an interruption of service. The control plane is not exposed to this issue. This issue impacts the data plane virtual servers and self IPs. CVE-2019-6603 Impact This vulnerability...

K99038439: NodeJS vulnerability CVE-2012-2330

Security Advisory Description The Update method in src/nodehttpparser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information request header contents and possibly spoof HTTP headers via a zero...

K57492753: MySQL Optimizer vulnerability CVE-2016-0651

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer.CVE-2016-0651 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product...

K71612511: Kernel vulnerability CVE-2016-8106

Security Advisory Description A Denial of Service in Intel Ethernet Controller's X710/XL710 with Non-Volatile Memory Images before version 5.05 allows a remote attacker to stop the controller from processing network traffic working under certain network use conditions. CVE-2016-8106 Impact There ...

K68292031: Intel CPU vulnerability CVE-2018-3658

Security Advisory Description Multiple memory leaks in Intel AMT in Intel CSME firmware versions before 12.0.5 may allow an unauthenticated user with Intel AMT provisioned to potentially cause a partial denial of service via network access. CVE-2018-3658 Impact There is no impact; F5 products are...

K23432927: The BIG-IP ASM system may redirect a client request to an incorrect URL

Security Advisory Description The BIG-IP ASM system may redirect a client request to an incorrect URL after the client browser passes the client-side integrity defense JavaScript challenge. This issue occurs when all of the following conditions are met: You have enabled the Client Side Integrity...

K02951273: NTP vulnerability CVE-2017-6463

Security Advisory Description NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service daemon crash via an invalid setting in a :config directive, related to the unpeer option. CVE-2017-6463 Impact A remote, authenticated attacker may exploit this...

K11561403: Intel CPU vulnerability CVE-2018-3657

Security Advisory Description Multiple buffer overflows in Intel AMT in Intel CSME firmware versions before version 12.0.5 may allow a privileged user to potentially execute arbitrary code with Intel AMT execution privilege via local access. CVE-2018-3657 Impact There is no impact; F5 products ar...

K54308152: cURL vulnerability CVE-2021-22923

Security Advisory Description When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download...

K16343: OpenLDAP vulnerabilities CVE-2015-1545 and CVE-2015-1546

Security Advisory Description CVE-2015-1545 The derefparseCtrl function in servers/slapd/overlays/deref.c in OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a denial of service NULL pointer dereference and crash via an empty attribute list in a deref control in a search request...

K10329515: BIG-IP PEM vulnerability CVE-2018-5508

Security Advisory Description Under certain conditions, TMM may produce a core file and restart when processing compressed data though a virtual server with an associated PEM profile using the content insertion option. CVE-2018-5508 Impact The Traffic Management Microkernel TMM generates a core...

K1877: OpenSSH Remote Challenge Vulnerability - CAN-2001-1279

Security Advisory Description Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of F5...

K12986: BIND vulnerability CVE-2011-2464

Security Advisory Description Note : For information about signing up to receive security notice updates from F5, refer to K9970: Subscribe to email notifications regarding F5 products and security announcements. Note : Versions that are not listed in this article have not been evaluated for...

K20031768: Intel hardware vulnerabilities CVE-2020-8737 CVE-2020-12312

Security Advisory Description CVE-2020-8737 Improper buffer restrictions in the IntelR StratixR 10 FPGA firmware provided with the IntelR QuartusR Prime Pro software before version 20.1 may allow an unauthenticated user to potentially enable escalation of privilege and/or information disclosure v...

K92991044: lwresd and bind vulnerability CVE-2016-2775

Security Advisory Description ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service daemon crash via a long request that uses the lightweight resolver protocol...

K68652018: iControl REST vulnerability CVE-2021-22974

Security Advisory Description An authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level. This vulnerability is due to an incomplete fix for CVE-2017-6167. CVE-2021-22974...

K15742: Linux kernel vulnerabilities CVE-2014-6416, CVE-2014-6417, and CVE-2014-6418

Security Advisory Description CVE-2014-6416 Buffer overflow in net/ceph/authx.c in Ceph, as used in the Linux kernel before 3.16.3, allows remote attackers to cause a denial of service memory corruption and panic or possibly have unspecified other impact via a long unencrypted auth ticket...

K15428: Apache Tomcat vulnerability CVE-2014-0096

Security Advisory Description java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and...

K15369: OpenSSL vulnerability CVE-2009-0591

Security Advisory Description The CMSverify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually...

K16970: TLS Finish Message vulnerability

Security Advisory Description The BIG-IP system does not verify every byte in the Finished message of a TLS handshake. Impact There is no impact; F5 does not consider this behavior a vulnerability. Security Advisory Status F5 Product Development has assigned ID 530963 to this issue, and has...

K26583415: MQTT vulnerability CVE-2018-15323

Security Advisory Description In certain circumstances, when processing traffic through a Virtual Server with an associated MQTT profile, the TMM process may produce a core file and take the configured HA action. CVE-2018-15323 Impact This vulnerability allows remote attackers to cause a...

K34514540: TMM vulnerability CVE-2017-6138

Security Advisory Description Malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default "normalize URI" configuration options used in iRules...

K10587158: MySQL vulnerability CVE-2016-8284

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and 5.7.13 and earlier allows local users to affect availability via vectors related to Server: Replication. CVE-2016-8284 Impact There is no impact; F5 products are not affected by this vulnerability...

K37404773: TMM vulnerability CVE-2017-6134

Security Advisory Description An undisclosed sequence of packets, sourced from an adjacent network may cause TMM to crash. CVE-2017-6134 Impact This issue is exposed in the default configuration. Traffic processing is disrupted while the Traffic Management Microkernel TMM restarts. If the affecte...

K45407662: BIG-IP DNS vulnerability CVE-2021-23032

Security Advisory Description When a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the Traffic Management Microkernel TMM to terminate. CVE-2021-23032 Impact Traffic is disrupted while the TMM process restarts. This vulnerability...

K05263202: BIG-IP IPsec tunnel endpoint vulnerability CVE-2017-6156

Security Advisory Description When the BIG-IP system is configured with a wildcard IPsec tunnel endpoint, it may allow a remote attacker to disrupt or impersonate the tunnels that have completed phase 1 IPsec negotiations. The attacker must possess the necessary credentials to negotiate the phase...