K000137090: Node.js vulnerabilities CVE-2018-12121, CVE-2018-12122, and CVE-2018-12123

Security Advisory Description CVE-2018-12121 Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers almost 80 KB per connection, and carefully timed completion of the...

K000137058: Linux kernel vulnerability CVE-2022-4269

Security Advisory Description A flaw was found in the Linux kernel Traffic Control TC subsystem. Using a specific networking configuration redirecting egress packets to ingress using TC action "mirred" a local unprivileged user could trigger a CPU soft lockup ABBA deadlock when the transport...

K000137054: libwebp vulnerabilities CVE-2023-4863 and CVE-2023-5129

Security Advisory Description CVE-2023-4863 Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Chromium security severity: Critical CVE-2023-5129 REJECTED This CVE I...

K000137038: BIND vulnerability CVE-2023-4236

Security Advisory Description A flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9...

K000136907: BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43124

Security Advisory Description BIG-IP APM clients may send IP traffic outside of the VPN tunnel. CVE-2023-43124 Impact If a client machine connects to a malicious adjacent network device, such as a router or Wi-Fi hotspot, an attacker may be able to trick the client into sending IP traffic outside...

K000136909: BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125

Security Advisory Description BIG-IP APM clients may send IP traffic outside of the VPN tunnel. CVE-2023-43125 Impact If a client machine connects to a malicious DNS device, an attacker may be able to trick the client into sending IP traffic outside of the VPN tunnel. Any clear text traffic leake...

K000137002: systemd vulnerability CVE-2020-13529

Security Advisory Description An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets...

K000136957: Apache struts vulnerability CVE-2023-41835

Security Advisory Description When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Strut...

K000136924: Node.JS vulnerabilities CVE-2018-7158, CVE-2018-7164, and CVE-2018-7166

Security Advisory Description CVE-2018-7158 The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service ReDoS vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The...

K000136903: OpenSSL Diffie-Hellman vulnerability CVE-2023-3446

Security Advisory Description Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DHcheck, DHcheckex or EVPPKEYparamcheck to check a DH key or DH parameters may experience long delays. Where the key or parameters tha...

K000136157: sssd vulnerability CVE-2022-4254

Security Advisory Description sssd: libssscertmap fails to sanitise certificate data used in LDAP filters CVE-2022-4254 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported releases for...

K000136168: Intel BIOS firmware vulnerabilities CVE-2022-44611 and CVE-2022-27879

Security Advisory Description CVE-2022-44611 Improper input validation in the BIOS firmware for some IntelR Processors may allow a privileged user to potentially enable escalation of privilege via adjacent access. CVE-2022-27879 Improper buffer restrictions in the BIOS firmware for some IntelR...

K000136153: cURL vulnerability CVE-2023-23914

Security Advisory Description A cleartext transmission of sensitive information vulnerability exists in curl. CVE-2023-23914 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported release...

K000136109: PHP SQLite vulnerability CVE-2022-31631

Security Advisory Description In PHP versions 8.0. before 8.0.27, 8.1. before 8.1.15, 8.2. before 8.2.2 when using PDO::quote function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injectio...

K000136079: Redis vulnerability CVE-2022-0543

Security Advisory Description It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a Debian-specific Lua sandbox escape, which could result in remote code execution. CVE-2022-0543 Impact There is no impact; F5 products are not affected by this...

K000136011: Apache Tomcat Open Redirect vulnerability CVE-2023-41080

Security Advisory Description URL Redirection to Untrusted Site 'Open Redirect' vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.9...

K000135997: Multiple Node.js vulnerabilities

Security Advisory Description CVE-2023-32002 The use of Module.load can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x an...

K000135996: Intel RDMA Ethernet Controller vulnerability CVE-2023-25775

Security Advisory Description Improper access control in the IntelR Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access. CVE-2023-25775 Impact There is no impact; F5 products are not...

K000135921: Python urllib.parse vulnerability CVE-2023-24329

Security Advisory Description An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. CVE-2023-24329 Impact F5 products do not ship with Python scripts that utilize the affected Python...

K000135880: glibc vulnerability CVE-2023-25139

Security Advisory Description sprintf in the GNU C Library glibc 2.37 has a buffer overflow out-of-bounds write in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded,...

K000135852: FasterXML jackson-databind vulnerability CVE-2022-42003

Security Advisory Description In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAPSINGLEVALUEARRAYS feature is enabled. Additional fix version in 2.13.4.1 a...

K000135854: ESAPI (The OWASP Enterprise Security API) vulnerability CVE-2022-23457

Security Advisory Description ESAPI The OWASP Enterprise Security API is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of Validator.getValidDirectoryPathString, String, File, boolean may incorrectly treat the tested input strin...

K000135853: Dell BSAFE Micro Edition vulnerability CVE-2020-35168

Security Advisory Description Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. CVE-2020-35168 Impact There is no impact; F5 products are not affected by this vulnerability...

K000135831: Node.js vulnerability CVE-2023-32067

Security Advisory Description c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interpret...

K000135795: Downfall Attacks CVE-2022-40982

Security Advisory Description Information exposure through microarchitectural state after transient execution in certain vector execution units for some IntelR Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2022-40982 Impact Successfu...

K000135718: OpenJDK vulnerabilities CVE-2023-22006, CVE-2023-22043, and CVE-2023-22045

Security Advisory Description CVE-2023-22006 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE component: Networking. Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise...

K000135709: OpenSSH vulnerability CVE-2023-38408

Security Advisory Description The PKCS11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. Code in /usr/lib is not necessarily safe for loading into ssh-agent. NOT...

K000135479: Overview of F5 vulnerabilities (August 2023)

Security Advisory Description On August 2, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. Important :...

K000135449: BIG-IP FIPS HSM password vulnerability CVE-2023-3470

Security Advisory Description Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated attacker with TMOS Shell tmsh access to the BIG-IP system, or anyone with...

K000134922: F5OS-A vulnerability CVE-2023-36494

Security Advisory Description Audit logs on the F5OS-A system may contain undisclosed sensitive information. CVE-2023-36494 Impact This vulnerability may allow a high privileged authenticated attacker with local access to an F5OS-A system to read undisclosed sensitive information. Security Adviso...

K000134535: BIG-IP Configuration utility vulnerability CVE-2023-38423

Security Advisory Description A cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. CVE-2023-38423 Impact An authenticated attacker may exploit this...

K000133472: BIG-IP and BIG-IQ iControl SOAP vulnerability CVE-2023-38419

Security Advisory Description An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests. CVE-2023-38419 Impact The iControl SOAP daemon becomes unresponsive. This vulnerability allows an authenticated attacker with a...

K000134746: BIG-IP Edge Client for macOS vulnerability CVE-2023-38418

Security Advisory Description The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. CVE-2023-38418 Impact An attacker with an ability to run unprivileged arbitrary code on the target macOS client may be able to abuse an...

K000132563: BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858

Security Advisory Description An insufficient verification of data vulnerability exists in BIG-IP Edge Client for Windows and macOS that may allow an attacker to modify its configured server list. CVE-2023-36858 Impact An authenticated attacker with local access to the BIG-IP Edge Client on a...

K000133474: BIG-IP Configuration utility vulnerability CVE-2023-38138

Security Advisory Description A reflected cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. CVE-2023-38138 Impact An attacker may exploit this...

K000135674: HarfBuzz vulnerability CVE-2023-25193

Security Advisory Description hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger On^2 growth via consecutive marks during the process of looking back for base glyphs when attaching marks. CVE-2023-25193 Impact There is no impact; F5 products are not affected by this...

K000135637: Java vulnerability CVE-2023-22049

Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE component: Libraries. Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterpri...

K000135636: Java vulnerability CVE-2023-22041

Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Editio...

K000135635: Java vulnerability CVE-2023-22044

Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6...

K000135633: OpenSSL vulnerability CVE-2023-2975

Security Advisory Description Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries ...

K000135632: AMD Ryzen vulnerability CVE-2023-20593

Security Advisory Description An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. CVE-2023-20593 also known as Zen Bleed Vulnerability Impact There is no impact; F5 products are not affected by this...

K000135627: Oracle MySQL vulnerability CVE-2023-22057

Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Replication. Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...

K000135626: Oracle Java vulnerability CVE-2023-22036

Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE component: Utility. Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10,...

K000135625: Oracle Java vulnerability CVE-2023-22051

Security Advisory Description Vulnerability in the Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE component: GraalVM Compiler. Supported versions that are affected are Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1...

K000135621: VMware Tools vulnerability CVE-2023-20867

Security Advisory Description A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. CVE-2023-20867 Impact There is no impact; F5 products are not affected by this...

K000135555: Java vulnerabilities CVE-2020-2756 and CVE-2020-2757

Security Advisory Description CVE-2020-2756 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Serialization. Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows...

K000135534: Java vulnerabilities CVE-2020-14779, CVE-2020-14782

Security Advisory Description CVE-2020-14779 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Serialization. Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows...

K000135507: Java vulnerabilities CVE-2020-14781

Security Advisory Description ​​​​​​Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: JNDI. Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker...

K000135504: BIND vulnerability CVE-2023-2911

Security Advisory Description If the recursive-clients quota is reached on a BIND 9 resolver configured with both stale-answer-enable yes; and stale-answer-client-timeout 0;, a sequence of serve-stale-related lookups could cause named to loop and terminate unexpectedly due to a stack overflow. Th...

K000135439: libtar vulnerabilities CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646

Security Advisory Description CVE-2021-33643 An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc0 for a variable gnulonglink, causing an out-of-bounds read. CVE-2021-33644 An attacker who submits a crafted tar file with size in...