K000140745: BIND vulnerability CVE-2024-1975

Security Advisory Description If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG0 signed requests. This issue affects BIND ...

K000140630: NGINX Agent vulnerability CVE-2024-7634

Security Advisory Description NGINX Agent's configdirs restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory. CVE-2024-7634 Impact Under the default configuration, a user can overwrite arbitrary files on any...

K000140768: OpenSSH vulnerability CVE-2024-7589

Security Advisory Description A signal handler in sshd8 may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds 120 by default. This signal handler executes in the context of the sshd8's...

K000140744: MySQL vulnerability CVE-2024-21171

Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple...

K000140743: MySQL vulnerability CVE-2024-21159

Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...

K000140742: MySQL vulnerability CVE-2024-21179

Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...

K000140735: Oracle MySQL vulnerabilities CVE-2024-21160, CVE-2024-21162, and CVE-2024-21173

Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...

K000140732: BIND vulnerability CVE-2024-1737

Security Advisory Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname of any RTYPE can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects...

K000140711: Python urllib3 vulnerability CVE-2024-37891

Security Advisory Description urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy suppor...

K000140552: Quarterly Security Notification (August 2024)

Security Advisory Description On August 14, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated...

K000140111: BIG-IP Next Central Manager vulnerability CVE-2024-39809

Security Advisory Description The BIG-IP Next Central Manager user session refresh token does not expire when a user logs out. CVE-2024-39809 Impact An attacker with access to obtain a user's session cookies can continue to use that session to access BIG-IP Next Central Manager and systems manage...

K000139938: BIG-IP Next Central Manager vulnerability CVE-2024-37028

Security Advisory Description BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in. CVE-2024-37028 Impact An unauthenticated attacker can exploit this vulnerability to lock out a BIG-IP Next Central Manager webUI account that has never been logged...

K000140108: NGINX Plus MQTT vulnerability CVE-2024-39792

Security Advisory Description When NGINX Plus is configured to use the MQTT filter module, undisclosed requests can cause an increase in memory resource utilization. CVE-2024-39792 Impact System performance can degrade until the NGINX master and worker processes are either forced to restart or ar...

K000138477: BIG-IP MPTCP vulnerability CVE-2024-41164

Security Advisory Description When a TCP profile with Multipath TCP enabled MPTCP is configured on a virtual server, undisclosed traffic along with conditions beyond the attacker's control can cause the Traffic Management Microkernel TMM to terminate. CVE-2024-41164 Impact Traffic is disrupted...

K000140529: NGINX ngx_http_mp4_module vulnerability CVE-2024-7347

Security Advisory Description NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the...

K000140006: BIG-IP Next Central Manager vulnerability CVE-2024-41719

Security Advisory Description When you generate a QKView file of a BIG-IP Next instance from the BIG-IP Next Central Manager, F5 iHealth credentials are logged in the BIG-IP Central Manager log file. CVE-2024-41719 Impact The F5 iHealth credentials entered on the BIG-IP Next Central Manager to...

K000138833: BIG-IP TMM vulnerability CVE-2024-41727

Security Advisory Description In BIG-IP tenants running on r2000 and r4000 series hardware, or BIG-IP Virtual Edition VEs using Intel E810 SR-IOV NIC, undisclosed traffic can cause an increase in memory resource utilization. CVE-2024-41727 Impact System performance can degrade until the Traffic...

K05710614: BIG-IP HSB vulnerability CVE-2024-39778

Security Advisory Description When a stateless virtual server is configured on a BIG-IP system with a High-Speed Bridge HSB, undisclosed requests can cause virtual servers to stop processing client connections and the Traffic Management Microkernel TMM to terminate. CVE-2024-39778 Impact Traffic ...

K10438187: BIG-IP iControl REST vulnerability CVE-2024-41723

Security Advisory Description Undisclosed requests to BIG-IP iControl REST can lead to an information leak of user account names. CVE-2024-41723 Impact This vulnerability allows for a remote authenticated attacker with network access to the iControl REST interface, through the BIG-IP management...

K000140693: Apache HTTP server vulnerability CVE-2024-39573

Security Advisory Description Potential SSRF in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by modproxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. CVE-2024-39573...

K000140698: Python-pillow vulnerability CVE-2024-28219

Security Advisory Description In imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy. CVE-2024-28219 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated th...

K000140696: Qt vulnerability CVE-2023-51714

Security Advisory Description An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. CVE-2023-51714 Impact There is no...

K000140695: PHP vulnerability CVE-2024-5458

Security Advisory Description In PHP versions 8.1. before 8.1.29, 8.2. before 8.2.20, 8.3. before 8.3.8, due to a code logic error, filtering functions such as filtervar when validating URLs FILTERVALIDATEURL for certain types of URLs the function will result in invalid user information username ...

K000140691: Linux kernel vulnerability CVE-2022-2586

Security Advisory Description It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted. CVE-2022-2586 Impact There is no impact; F5 products are not affected by this vulnerability. Security Adviso...

K000140620: Apache HTTPD vulnerabilities CVE-2024-38474 and CVE-2024-38475

Security Advisory Description CVE-2024-38474 Substitution encoding issue in modrewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to b...

K000140618: Apache HTTPD vulnerability CVE-2024-38476

Security Advisory Description Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60,...

K000140602: BIND vulnerability CVE-2024-4076

Security Advisory Description Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1...

K000140581: Apache mod_proxy vulnerability CVE-2024-36387

Security Advisory Description Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. CVE-2024-36387 Impact There is no impact; F5 products are not affected by this vulnerability...

K000140579: Apache vulnerability CVE-2024-39884

Security Advisory Description A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of...

K000140505: Apache HTTPD vulnerability CVE-2024-38473

Security Advisory Description Encoding problem in modproxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixe...

K000140563: Linux kernel vulnerability CVE-2023-38409

Security Advisory Description An issue was discovered in setcon2fbmap in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbconregisteredfb and fbcondisplay arrays can be desynchronized in fbconmodedeleted the con2fbmap...

K000140528: BIND vulnerability CVE-2024-0760

Security Advisory Description A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions...

K000140433: MySQL vulnerability CVE-2024-21176

Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Thread Pooling. Supported versions that are affected are 8.4.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to...

K000140297: Speculative race condition vulnerability CVE-2024-26602

Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: sched/membarrier: reduce the ability to hammer on sysmembarrier On some systems, sysmembarrier can be very expensive, causing overall slowdowns for everything. So put a lock on the path in order to...

K000140414: Loop DOS UDP vulnerability CVE-2024-2169

Security Advisory Description Implementations of UDP application protocol are vulnerable to network loops. An unauthenticated attacker can use maliciously-crafted packets against a vulnerable implementation that can lead to Denial of Service DOS and/or abuse of resources. CVE-2024-2169 Impact The...

K000140405: Multiple OpenJDK vulnerabilities

Security Advisory Description CVE-2024-21147 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1;...

K000140399: MySQL vulnerabilities CVE-2024-21130, CVE-2024-21142, CVE-2024-21166, and CVE-2024-21185

Security Advisory Description CVE-2024-21130 Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access...

K000140303: Apache Tomcat vulnerability CVE-2024-34750

Security Advisory Description Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams...

K000140257: OpenSSL vulnerability CVE-2024-4741

Security Advisory Description Issue summary: Calling the OpenSSL API function SSLfreebuffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or...

K000140251: Python vulnerabilities CVE-2022-48564 and CVE-2022-48566

Security Advisory Description CVE-2022-48564 readints in plistlib . py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. CVE-2022-48566 An issue was discovered in comparedigest in...

K000140250: Expat vulnerability CVE-2023-52426

Security Advisory Description libexpat through 2.5.0 allows recursive XML Entity Expansion if XMLDTD is undefined at compile time. CVE-2023-52426 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the...

K000140225: Codemirror vulnerability CVE-2020-7760

Security Advisory Description This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in...

K000140222: OpenSSH server vulnerability CVE-2024-6387

Security Advisory Description A security regression CVE-2006-5051 was discovered in OpenSSH's server sshd. There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a se...

K000140189: Linux kernel vulnerability CVE-2021-47572

Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix null pointer dereference when IPv6 is not enabled When we try to add an IPv6 nexthop and IPv6 is not enabled !CONFIGIPV6 we'll hit a NULL pointer dereference1 in the error path of...

K000140188: PostgreSQL vulnerability CVE-2024-0985

Security Advisory Description Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of...

K000140043: runc vulnerability CVE-2024-21626

Security Advisory Description runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process from runc exec to have a working directo...

K000140042: libldap vulnerability CVE-2020-15719

Security Advisory Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName SAN. This is fixed in, for example, openldap-2.4.46-10.el8 i...

K000140040: OpenLDAP slapd vulnerabilities CVE-2020-36230, CVE-2020-36229, CVE-2017-17740, CVE-2017-9287, and CVE-2017-14159

Security Advisory Description CVE-2020-36230 A flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure in slapd in the X.509 DN parsing in decode.c bernextelement, resulting in denial of service. CVE-2020-36229 A flaw was discovered in ldapX509dn2bv in OpenLDAP before 2.4.57...

K000140039: Intel QAT vulnerability CVE-2023-32641

Security Advisory Description Improper input validation in firmware for IntelR QAT before version QAT20.L.1.0.40-00004 may allow escalation of privilege and denial of service via adjacent access. CVE-2023-32641 Impact There is no impact; F5 products are not affected by this vulnerability. Securit...

K000140029: libcurl vulnerability CVE-2024-2398

Security Advisory Description When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit 1000, libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously...