6389 matches found
K61105950: iControl REST logs a plaintext password when the syntax of a cURL request is incorrect
Security Advisory Description The BIG-IP system logs the device password in plaintext. This issue occurs when the following condition is met: There are one or more syntax errors in the POST body of a REST token request. Impact Disclosure of the BIG-IP system's device password can lead to other...
K93445609: phpMyAdmin vulnerabilities
Security Advisory Description CVE-2016-1927 The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a...
K31372672: Mozilla NSS vulnerabilities CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183
Security Advisory Description CVE-2015-7181 The secasn1dparseleaf function in Mozilla Network Security Services NSS before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data...
K42406850: F5 SIRT response to the Ukraine crisis
Security Advisory Description Over the past few weeks, the world has watched as tensions have risen between Russia and Ukraine, and most recently, those tensions have escalated into a military conflict. F5 is deeply concerned for the safety of those in harm's way and the impact to everyone affect...
K47145213: OpenSSL vulnerability CVE-2016-2176
Security Advisory Description The X509NAMEoneline function in crypto/x509/x509obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service buffer over-read via crafted EBCDIC ASN.1 data...
K34144932: libwww-perl vulnerability CVE-2014-3230
Security Advisory Description When libwww-perl LWP uses IO::Socket::SSL and when the HTTPSCADIR or HTTPSCAFILE environment variables are set, server certificate verification is disabled. CVE-2014-3230 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory...
K73189318: Linux kernel vulnerability CVE-2015-7509
Security Advisory Description fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of service system crash via a crafted no-journal filesystem, a related issue to CVE-2013-2015. CVE-2015-7509 Impact The attacker may be able to cause a...
K72225092: Linux kernel vulnerability CVE-2015-8746
Security Advisory Description fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 does not properly initialize memory for migration recovery operations, which allows remote NFS servers to cause a denial of service NULL pointer dereference and panic via crafted network traffic...
K35424631: OpenSSH vulnerability CVE-2016-1907
Security Advisory Description The sshpacketreadpoll2 function in packet.c in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service out-of-bounds read and application crash via crafted network traffic. CVE-2016-1907 Impact Remote attackers may be able to cause a denial-of-servi...
K34146339: OpenSSL vulnerability CVE-2000-1254
Security Advisory Description crypto/rsa/rsagen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging improper RSA key generation on 64-bit HP-UX...
K13511366: PCRE vulnerability CVE-2014-9769
Security Advisory Description pcrejitcompile.c in PCRE 8.35 does not properly use table jumps to optimize nested alternatives, which allows remote attackers to cause a denial of service stack memory corruption or possibly have unspecified other impact via a crafted string, as demonstrated by...
K49580002: BIG-IP file validation vulnerability CVE-2015-8021
Security Advisory Description The BIG-IP Configuration utility may not properly validate file type or contents where uploaded files are allowed in the Access Policy Manager configuration section uploadImage.php. CVE-2015-8021 Impact An authenticated attacker could upload files to the BIG-IP syste...
K98102572: Linux kernel vulnerability CVE-2015-7990
Security Advisory Description Race condition in the rdssendmsg function in net/rds/sendmsg.c in the Linux kernel before 4.3.3 allows local users to cause a denial of service NULL pointer dereference and system crash or possibly have unspecified other impact by using a socket that was not properly...
K20911042: OpenSSH vulnerability CVE-2015-8325
Security Advisory Description The dosetupenv function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pamenvironment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the...
K30341203: BIG-IP LTM and NGINX are not exposed to certain desync attacks
Security Advisory Description Multiple desync attacks have been discovered. For more information refer to the following related articles: K27144609: Overview of HTTP/2 desync attacks K63312282: BIG-IP LTM HTTP/2 desync attacks: request line injection K97045220: BIG-IP LTM HTTP/2 desync attacks:...
K37510383: Linux kernel SCTP vulnerability CVE-2015-5283
Security Advisory Description The sctpinit function in net/sctp/protocol.c in the Linux kernel before 4.2.3 has an incorrect sequence of protocol-initialization steps, which allows local users to cause a denial of service panic or memory corruption by creating SCTP sockets before all of the steps...
K60742457: Linux kernel vulnerability CVE-2015-8374
Security Advisory Description fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action. CVE-2015-8374 Impact A local user may be able to obtain sensitive informati...
K71059632: PHP vulnerability CVE-2015-8616
Security Advisory Description Use-after-free vulnerability in the Collator::sortWithSortKeys function in ext/intl/collator/collatorsort.c in PHP 7.x before 7.0.1 allows remote attackers to cause a denial of service application crash or possibly have unspecified other impact by leveraging the...
K20022580: Linux kernel vulnerability CVE-2013-7446
Security Advisory Description Use-after-free vulnerability in net/unix/afunix.c in the Linux kernel before 4.3.3 allows local users to bypass intended AFUNIX socket permissions or cause a denial of service panic via crafted epollctl calls. CVE-2013-7446 Impact The local user may be able to bypass...
K12903841: Linux kernel vulnerabilities CVE-2015-4170, CVE-2015-6526, and CVE-2015-7837
Security Advisory Description CVE-2015-4170 Race condition in the ldsemcmpxchg function in drivers/tty/ttyldsem.c in the Linux kernel before 3.13-rc4-next-20131218 allows local users to cause a denial of service ldsemdownread and ldsemdownwrite deadlock by establishing a new tty thread during...
K14340611: Java vulnerability CVE-2013-5782
Security Advisory Description Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality,...
K15364328: Apache vulnerabilities CVE-2012-5783 and CVE-2012-6153
Security Advisory Description CVE-2012-5783 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509...
K46264120: BIND vulnerability CVE-2016-1285
Security Advisory Description named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service assertion failure and daemon exit via a malformed packet to the rndc aka control channel interface, related to alist.c and sexpr.c. CVE-2016-1285...
K02201365: SLOTH: TLS 1.2 handshake vulnerability CVE-2015-7575
Security Advisory Description A flaw was found in the way TLS 1.2 uses RSA+MD5 signatures with Client Authentication and ServerKeyExchange messages during a TLS 1.2 handshakes. An attacker with a Man-in-the-Middle network position and the ability to force / observe the use of RSA+MD5 during a TLS...
K01948202: Linux kernel vulnerability CVE-2016-0728
Security Advisory Description The joinsessionkeyring function in security/keys/processkeys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service integer overflow and use-after-free via...
K79401162: Samba vulnerabilities CVE-2016-2111, CVE-2016-2113, and CVE-2016-2114
Security Advisory Description CVE-2016-2111 The NETLOGON service in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2, when a domain controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session...
K64009378: OpenSSL vulnerability CVE-2016-0701
Security Advisory Description The DHcheckpubkey function in crypto/dh/dhcheck.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman DH key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple...
K47133310: Samba vulnerability CVE-2016-2112
Security Advisory Description The bundled LDAP client library in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "client ldap sasl wrapping" setting, which allows man-in-the-middle attackers to perform LDAP protocol-downgrade attacks by modifying...
K75152412: OpenSSL vulnerability CVE-2016-2108
Security Advisory Description The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service buffer underflow and memory corruption via an ANY field in crafted serialized data, aka the "negative zero" issue...
K66504414: Foomatic vulnerability CVE-2010-5325
Security Advisory Description Heap-based buffer overflow in the unhtmlify function in foomatic-rip in foomatic-filters before 4.0.6 allows remote attackers to cause a denial of service memory corruption and crash or possibly execute arbitrary code via a long job title. CVE-2010-5325 Impact There ...
K82679059: BIG-IP APM SSO vulnerability CVE-2016-3686
Security Advisory Description Cleartext SessionID is visible in URL query parameters under some conditions. CVE-2016-3686 Impact There is a theoretical risk that a user could obtain unauthorized access to the system, causing a security breach. Security Advisory Status F5 Product Development has...
K65342329: Java vulnerabilities CVE-2016-0494, CVE-2016-0448, and CVE-2016-0402
Security Advisory Description CVE-2016-0494 Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D...
K74954302: PHP vulnerability CVE-2016-2554
Security Advisory Description Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service application crash or possibly have unspecified other impact via a crafted TAR archive. CVE-2016-2554...
K23196136: OpenSSL vulnerability CVE-2016-0800
Security Advisory Description The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to...
K15095307: BDF parsing vulnerability CVE-2012-5669
Security Advisory Description The bdfparseglyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service crash and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read...
K02360853: NTP vulnerabilities CVE-2015-5194 and CVE-2015-5195
Security Advisory Description CVE-2015-5194 The logconfigcommand function in ntpparser.y in ntpd in NTP before 4.2.7p42 allows remote attackers to cause a denial of service ntpd crash via crafted logconfig commands. CVE-2015-5195 ntpopenssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attacke...
K86533083: BIND vulnerability CVE-2015-8705
Security Advisory Description buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logging is enabled, allows remote attackers to cause a denial of service REQUIRE assertion failure and daemon exit, or daemon crash or possibly have unspecified other impact via 1 OPT data or 2 an ECS...
K63443590: Apache Commons FileUpload vulnerability CVE-2013-2186
Security Advisory Description The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized...
K51518670: Linux kernel vulnerability CVE-2015-2922
Security Advisory Description The ndiscrouterdiscovery function in net/ipv6/ndisc.c in the Neighbor Discovery ND protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hoplimit value in a Router...
K51025324: Apache Tomcat 7.x vulnerabilities CVE-2015-5346, CVE-2015-5351, and CVE-2016-0763
Security Advisory Description CVE-2015-5346 Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to...
K52470083: Apache vulnerability CVE-2010-0408
Security Advisory Description The approxyajprequest function in modproxyajp.c in modproxyajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service backend server...
K06288381: NTP vulnerabilities CVE-2015-7977 and CVE-2015-7978
Security Advisory Description CVE-2015-7977 ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service NULL pointer dereference via a ntpdc reslist command. CVE-2015-7978 NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a...
K18174924: Apache Tomcat 6.x vulnerability CVE-2016-0706
Security Advisory Description Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users ...
K34250741: BIND vulnerability CVE-2015-8000
Security Advisory Description db.c in named in ISC BIND 9.x before 9.9.8-P2 and 9.10.x before 9.10.3-P2 allows remote attackers to cause a denial of service REQUIRE assertion failure and daemon exit via a malformed class attribute. CVE-2015-8000 Impact An attack may cause a denial-of-service DoS ...
K17588029: Apache Struts vulnerabilities CVE-2016-0785, CVE-2016-2162, CVE-2016-3081, CVE-2016-3082, and CVE-2016-4003
Security Advisory Description CVE-2016-0785 Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%" sequence in a tag attribute, aka forced double OGNL evaluation. CVE-2016-2162 Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object...
K30971148: Apache Tomcat 6.x vulnerability CVE-2015-5174
Security Advisory Description Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. slash dot dot in...
K59722044: PHP vulnerabilities CVE-2016-1903 and CVE-2016-1904
Security Advisory Description CVE-2016-1903 The gdImageRotateInterpolated function in ext/gd/libgd/gdinterpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service out-of-bounds read and...
K22234807: Apache vulnerability CVE-2009-3094
Security Advisory Description The approxyftphandler function in modules/proxy/proxyftp.c in the modproxyftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service NULL pointer dereference and child process crash via a malformed reply to an EPSV...
K48042976: BIG-IP SSL vulnerability CVE-2016-4545
Security Advisory Description On virtual servers with Secure Sockets Layer SSL profiles enabled, an SSL alert sent during the handshake may produce unnecessary logging and resource consumption on a BIG-IP system that is running 11.5.4 FINAL, possibly causing the Traffic Management Microkernel TMM...
K33209124: OpenSSL vulnerability CVE-2015-3197
Security Advisory Description ssl/s2srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to t...