K000135446: Linux kernel vulnerability CVE-2023-3269

Security Advisory Description A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas VMAs is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kerne...

K000135433: WPA use-after-free vulnerability CVE-2021-27803

Security Advisory Description A vulnerability was discovered in how p2p/p2ppd.c in wpasupplicant before 2.10 processes P2P Wi-Fi Direct provision discovery requests. It could result in denial of service or other impact potentially execution of arbitrary code, for an attacker within radio range...

K000135353: Apache Commons Collection serialized object injection vulnerability CVE-2017-15708

Security Advisory Description In Apache Synapse, by default no authentication is required for Java Remote Method Invocation RMI. So Apache Synapse 3.0.1 or all previous releases 3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1 allows remote code execution attacks that can be performed by injecting speciall...

K000135352: Heimdal vulnerability CVE-2022-3116

Security Advisory Description The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash. CVE-2022-3116 Impact There is no impact; F5...

K000135330: Multiple Nucleus TCP/IP stack vulnerabilities

Security Advisory Description CVE-2021-31889 A vulnerability has been identified in APOGEE MBC PPC BACnet All versions, APOGEE MBC PPC P2 Ethernet All versions, APOGEE MEC PPC BACnet All versions, APOGEE MEC PPC P2 Ethernet All versions, APOGEE PXC Compact BACnet All versions = V2.3 and = V2.3 an...

K000135314: GO vulnerability CVE-2022-28327

Security Advisory Description The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input. CVE-2022-28327 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Developme...

K000135312: BIND vulnerability CVE-2023-2828

Security Advisory Description Every named instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the max-cache-size statement i...

K000135262: Apache Tomcat vulnerability CVE-2023-28709

Security Advisory Description The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameter...

K000135252: BIND vulnerability CVE-2023-2829

Security Advisory Description A named instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache RFC 8198 option synth-from-dnssec enabled can be remotely terminated using a zone with a malformed NSEC record. This issue affects BIND 9...

K000135251: Apache Struts vulnerability CVE-2023-34396

Security Advisory Description Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater CVE-2023-34396 Impact There is no impact; F5...

K000135242: Linux kernel vulnerability CVE-2023-1390

Security Advisory Description A remote denial of service vulnerability was found in the Linux kernel’s TIPC kernel module. The while loop in tipclinkxmit hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer...

K000135223: Apache Tomcat vulnerability CVE-2023-34981

Security Advisory Description A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SENDHEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy modproxyaj...

K000135206: Linux kernel vulnerability CVE-2023-32233

Security Advisory Description In the Linux kernel through 6.3.1, a use-after-free in Netfilter nftables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous...

K000135178: OpenSSL vulnerability CVE-2023-2650

Security Advisory Description Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJobj2txt directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message...

K000135156: Apache Struts vulnerability CVE-2023-34149

Security Advisory Description Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. CVE-2023-34149 Impact There is no impact; F...

K000134942: Intel CPU vulnerability CVE-2022-33972

Security Advisory Description Incorrect calculation in microcode keying mechanism for some 3rd Generation IntelR XeonR Scalable Processors may allow a privileged user to potentially enable information disclosure via local access. CVE-2022-33972 Impact This vulnerability may allow a privileged use...

K000135149: Oracle Java SE vulnerability CVE-2023-21938

Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Libraries. Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 a...

K000135122: Linux kernel vulnerability CVE-2023-0461

Security Advisory Description There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIGTLS or CONFIGXFRMESPINTCP has to be configured, but the operation does not require any...

K000135001: Python URLlib3 vulnerability CVE-2019-11236

Security Advisory Description In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. CVE-2019-11236 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development...

K000134945: Spring Boot vulnerability CVE-2022-46166

Security Advisory Description Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers e.g. Teams-Notifier and write access to environment variables via UI are affected. User...

K000134938: Intel Processors vulnerability CVE-2022-38090

Security Advisory Description Improper isolation of shared resources in some IntelR Processors when using IntelR Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access. CVE-2022-38090 Impact There is no impact; F5 products are not...

K000134895: Intel QAT Driver vulnerabilities CVE-2022-21804, CVE-2022-21239, CVE-2022-41808

Security Advisory Description CVE-2022-21804 Out-of-bounds write in software for the Intel QAT Driver for Windows before version 1.9.0-0008 may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2022-21239 Out-of-bounds read in software for the Intel Q...

K000134818: Python XML RPC vulnerability CVE-2019-16935

Security Advisory Description The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the servertitle field. This occurs in Lib/DocXMLRPCServer. py in Python 2.x, and in Lib/xmlrpc/server. py in Python 3.x. If setservertitle is called with...

K000134793: OpenJDK vulnerability CVE-2018-2952

Security Advisory Description Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Concurrency. Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18. Difficult to exploit...

K000134802: Kubernetes vulnerability CVE-2020-10749

Security Advisory Description A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle MitM attacks. A malicious container can exploit this flaw by sending rogue IPv6 router...

K000134782: Intel Virtual RAID on CPU vulnerabilities CVE-2022-29919, CVE-2022-30338, CVE-2022-29508, CVE-2022-25976

Security Advisory Description CVE-2022-29919 Use after free in the IntelR VROC software before version 7.7.6.1003 may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2022-30338 Incorrect default permissions in the IntelR VROC software before version...

K000134781: Multiple Intel Server Board BMC vulnerabilities

Security Advisory Description CVE-2023-22661 Buffer overflow in some IntelR Server Board BMC firmware before version 2.90 may allow a privileged user to enable escalation of privilege via local access. CVE-2023-22297 Access of memory location after end of buffer in some IntelR Server Board BMC...

K000134768: Linux kernel vulnerability CVE-2022-4378

Security Advisory Description A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system. CVE-2022-4378 Impact A locally...

K000134770: Linux kernel vulnerability CVE-2022-42703

Security Advisory Description mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anonvma double reuse. CVE-2022-42703 Impact This vulnerability allows a local attacker to cause a denial-of-service DoS on the Traffix SDC system. Security Advisory Status F5 Product...

K000134764: Java SE vulnerabilities CVE-2018-2941 and CVE-2018-2973

Security Advisory Description CVE-2018-2941 Vulnerability in the Java SE component of Oracle Java SE subcomponent: JavaFX. Supported versions that are affected are Java SE: 7u181, 8u172 and 10.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple...

K000134747: PHP vulnerability CVE-2023-0568

Security Advisory Description In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being...

K000134744: Intel BIOS vulnerability CVE-2022-38087

Security Advisory Description Exposure of resource to wrong sphere in BIOS firmware for some IntelR Processors may allow a privileged user to potentially enable information disclosure via local access. CVE-2022-38087 Impact A privileged user may be able to enable information disclosure via local...

K000134748: Kubernetes vulnerabilities CVE-2019-1002100, CVE-2019-11254, CVE-2017-1002101, and CVE-2017-1002102

Security Advisory Description CVE-2019-1002100 In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" e.g. kubectl patch --type json or "Content-Type:...

K000134735: Intel BIOS vulnerability CVE-2022-33894

Security Advisory Description Improper input validation in the BIOS firmware for some IntelR Processors may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-33894 Impact There is no impact; F5 products are not affected by this vulnerability. Securit...

K000134727: MySQL vulnerability CVE-2023-21962

Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Components Services. Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...

K000134726: Intel QAT Engine for OpenSSL vulnerability CVE-2022-43507

Security Advisory Description Improper buffer restrictions in the IntelR QAT Engine for OpenSSL before version 0.6.16 may allow a privileged user to potentially enable escalation of privilege via network access. CVE-2022-43507 Impact There is no impact; F5 products are not affected by this...

K000134725: vm2 vulnerability CVE-2023-29017

Security Advisory Description vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. A threat actor could bypass the sandbox...

K000134724: MySQL vulnerability CVE-2023-21935

Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromis...

K000134706: Python IDNA vulnerability CVE-2022-45061

Security Advisory Description An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA RFC 3490 decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of...

K000134681: Spring Framework vulnerability CVE-2023-20861

Security Advisory Description In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition. CVE-2023-20861 Impac...

K000134680: JSON Smart vulnerability CVE-2021-31684

Security Advisory Description A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service DOS via a crafted web request. CVE-2021-31684 Impact There is no impact; F5 products are not affected by this...

K000134672: Zsh vulnerability CVE-2019-20044

Security Advisory Description In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULEPATH=/dir/with/module zmodload with a module that...

K000134671: Paramiko vulnerability CVE-2018-1000805

Security Advisory Description Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity. CVE-2018-1000805 Impact There is no impact; F5...

K000134670: Linux kernel vulnerability CVE-2022-2964

Security Advisory Description A flaw was found in the Linux kernel's driver for the ASIX AX88179178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes. CVE-2022-2964 Impact There is no impact; F5 products are not...

K000134636: Java vulnerabilities CVE-2018-2942 and CVE-2018-2938

Security Advisory Description CVE-2018-2942 Vulnerability in the Java SE component of Oracle Java SE subcomponent: Windows DLL. Supported versions that are affected are Java SE: 7u181 and 8u172. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple...

K000134616: Intel i915 Graphics Drivers for Linux vulnerability CVE-2023-28410

Security Advisory Description Improper restriction of operations within the bounds of a memory buffer in some IntelR i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-28410 Impact...

K000134602: Node.js vulnerabilities CVE-2023-23918 and CVE-2023-23920

Security Advisory Description CVE-2023-23918 A privilege escalation vulnerability exists in Node.js 19.6.1, 18.14.1, 16.19.1 and 14.21.3 that made it possible to bypass the experimental Permissions https: //nodejs. org/api/permissions.html feature in Node.js and access non authorized modules by...

K000134597: mod_auth_openidc vulnerability CVE-2023-28625

Security Advisory Description modauthopenidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when OIDCStripCookies is set and a crafted cookie supplied, a NULL pointer...

K000134574: OpenSSL vulnerabilities CVE-2023-0465 and CVE-2023-0466

Security Advisory Description CVE-2023-0465 Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certifica...

K000134579: OpenJDK vulnerabilities CVE-2019-2818 and CVE-2019-2821

Security Advisory Description CVE-2019-2818 Vulnerability in the Java SE component of Oracle Java SE subcomponent: Security. Supported versions that are affected are Java SE: 11.0.3 and 12.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple...