K15278: SSL renegotiation vulnerability CVE-2011-1473

Security Advisory Description DISPUTED OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service CPU consumption by performing many...

K45616155: Nettle vulnerability CVE-2018-16869

Security Advisory Description A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extrac...

K42204713: Multiple MySQL vulnerabilities

Security Advisory Description CVE-2016-3424 Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Optimizer. CVE-2016-3440 Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows remote...

K25225860: Linux kernel vulnerabilities CVE-2019-6454, CVE-2020-12888, and CVE-2020-36385

Security Advisory Description CVE-2019-6454 An issue was discovered in sd-bus in systemd 239. busprocessobject in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit thi...

K15401: OpenSSL vulnerability CVE-2012-2333

Security Advisory Description Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service buffer over-read or possibly have unspecified other impact via a...

K18955141: GnuTLS vulnerability CVE-2018-16868

Security Advisory Description A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plainte...

K14930: PHP vulnerability CVE-2011-4718

Security Advisory Description Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. CVE-2011-4718 Impact None Security Advisory Status To determine if your release is known to be vulnerable, the...

K06208063: Linux kernel vulnerability CVE-2018-1000004

Security Advisory Description In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition. CVE-2018-1000004 Impact There is no impact; F5 products are not affected by this...

K10281096: TLS in Mozilla NSS vulnerability CVE-2018-12404

Security Advisory Description A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack AKA Bleichenbacher attack and affects all NSS versions prior to NSS 3.41. CVE-2018-1240...

K6339: Sendmail race condition - VU#834865

Security Advisory Description Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5...

K67404630: Oracle WebLogic Server vulnerabilities CVE-2018-2894 and CVE-2018-2935

Security Advisory Description CVE-2018-2894 Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware subcomponent: WLS - Web Services. Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticat...

K5533: Potential protocol version rollback vulnerability in OpenSSL - CVE-2005-2969

Security Advisory Description Note : For information about signing up to receive security notice updates from F5, refer to K9970: Subscribe to email notifications regarding F5 products and security announcements. Note : Versions that are not listed in this Solution have not been evaluated for...

K4809: tcpdump vulnerabilities CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F...

K45810018: Multiple Insyde BIOS/EFI vulnerabilities

Security Advisory Description CVE-2020-5953 A vulnerability exists in System Management Interrupt SWSMI handler of InsydeH2O UEFI Firmware code located in SWSMI handler that dereferences gRT EFIRUNTIMESERVICES pointer to call a GetVariable service, which is located outside of SMRAM. This can resu...

K11795: Pre-logon sequence vulnerability to Cross-Site Scripting

Security Advisory Description Note : Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of F5...

K06372014: PHP vulnerability CVE-2019-9023

Security Advisory Description An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur...

K06323049: BIG-IP IPsec ALG vulnerability CVE-2022-29473

Security Advisory Description When an IPSec ALG profile is configured on a virtual server, undisclosed responses can cause the Traffic Management Microkernel TMM to terminate. CVE-2022-29473 Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows an unauthenticated...

K9754: BIND 9 vulnerability CVE-2009-0025

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of F5...

K9761: PHP vulnerability - CVE-2008-5557

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F...

K97120268: Apache Log4j SQL injection vulnerability CVE-2022-23305

Security Advisory Description By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL...

K76444020: OpenJDK vulnerabilities CVE-2019-2933 and CVE-2019-2958

Security Advisory Description CVE-2019-2933 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Libraries. Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows...

K80922332: PHP vulnerability CVE-2015-8866

Security Advisory Description ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxmldisableentityloader changes in other threads, which allows remote attackers to conduct XML External Entity XXE and XML Entity Expansion XEE...

K67416037: Linux kernel vulnerability CVE-2021-23133

Security Advisory Description A race condition in Linux kernel SCTP sockets net/sctp/socket.c before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctpdestroysock is called without socknetsk-sctp.addrwqlock then an element is...

K43314223: libxml2 vulnerability CVE-2016-1835

Security Advisory Description Use-after-free vulnerability in the xmlSAX2AttributeNs function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2 and OS X before 10.11.5, allows remote attackers to cause a denial of service via a crafted XML document. CVE-2016-1835 Impact Allows an attacke...

K43167094: Apache Struts 2 vulnerability CVE-2016-6795

Security Advisory Description In the Convention plugin in Apache Struts 2.3.20 through 2.3.30, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. CVE-2016-6795 Impact There is no impact; F5 products are not affected by thi...

K45752041: Samba vulnerability CVE-2021-44141

Security Advisory Description All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in...

K34002344: Overview of Log4j vulnerabilities (2021 and 2022)

Security Advisory Description This document is intended to serve as an overview of the 2021 and 2022 Log4j vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory. High CVEs Medium CVEs Not Vulnerable CVEs High CV...

K34985231: PHP vulnerabilities CVE-2016-6288 and CVE-2016-6289

Security Advisory Description CVE-2016-6288 The phpurlparseex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service buffer over-read or possibly have unspecified other impact via vectors involving the smartstr data type. CVE-2016-6289 Integer...

K40564589: PHP vulnerability CVE-2016-7126

Security Advisory Description The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate the number of colors, which allows remote attackers to cause a denial of service selectcolors allocation error and out-of-bounds write or possibl...

K24322529: libxml2 vulnerabilities CVE-2016-4447 and CVE-2016-4449

Security Advisory Description CVE-2016-4447 The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service heap-based buffer underread and application crash via a crafted file, involving xmlParseName. CVE-2016-4449 XML external...

K31113511: Apache APISIX Dashboard vulnerability CVE-2021-45232

Security Advisory Description In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework droplet on the basis of framework gin, all APIs and authentication middleware are developed based on framework droplet, but some API directly use the interface of...

K28360903: Linux Kernel vulnerability CVE-2021-28375

Security Advisory Description An issue was discovered in the Linux kernel through 5.11.6. fastrpcinternalinvoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308. CVE-2021-28375 Impact Ther...

K19820866: Linux kernel vulnerability CVE-2018-7492

Security Advisory Description A NULL pointer dereference was found in the net/rds/rdma.c rdsrdmamap function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDSGETMR and RDSGETMRFORDEST. CVE-2018-7492 Impact There is no impact...

K14338030: libxml2 vulnerability CVE-2016-1762

Security Advisory Description The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service heap-based buffer over-read via a crafted XML document. CVE-2016-1762 Impact Allows an attacker unauthorized disclosure of information, unauthorized modification, an...

K02825271: Linux kernel vulnerability CVE-2017-13166

Security Advisory Description An elevation of privilege vulnerability in the kernel v4l2 video driver. Product: Android. Versions: Android kernel. Android ID A-34624167. CVE-2017-13166 Impact This flaw could be exploited by an attacker to overwrite a kernel memory from an unprivileged userspace...

K95432245: PHP vulnerability CVE-2016-5768

Security Advisory Description Double free vulnerability in the phpmbregexeregreplaceexec function in phpmbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service application...

K15850913: PHP vulnerability CVE-2016-6290

Security Advisory Description ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service use-after-free or possibly have unspecified other impact via...

K10429441: Linux kernel vulnerability CVE-2020-14331

Security Advisory Description A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VTRESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to t...

K92807525: TMUI XSS vulnerability CVE-2022-27878

Security Advisory Description A stored cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. CVE-2022-27878 Impact An authenticated attacker may exploit...

K62832776: RPC portmapper vulnerability CVE-1999-0632

Security Advisory Description The RPC portmapper service is running. CVE-1999-0632 Impact This issue affects an unknown function of the component RPC portmapper service. The manipulation with an unknown input leads to a privilege escalation vulnerability impacting confidentiality, integrity, and...

K45452200: Python-Pillow vulnerability CVE-2021-25287

Security Advisory Description An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2kugrayala. CVE-2021-25287 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated th...

K95005525: Linux kernel vulnerability CVE-2018-6554

Security Advisory Description Memory leak in the irdabind function in net/irda/afirda.c and later in drivers/staging/irda/net/afirda.c in the Linux kernel before 4.17 allows local users to cause a denial of service memory consumption by repeatedly binding an AFIRDA socket. CVE-2018-6554 Impact...

K25423748: QEMU vulnerability CVE-2019-14378

Security Advisory Description ipreass in ipinput.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. CVE-2019-14378 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Statu...

K43546166: glibc vulnerability CVE-2017-16997

Security Advisory Description elf/dl-load.c in the GNU C Library aka glibc or libc6 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged setuid or ATSECURE program, which allows local users to gain privileges via a Trojan horse library in the current working director...

K29149494: iControl REST vulnerability CVE-2019-6637

Security Advisory Description Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated...

K59197053: BIG-IP TLS 1.3 iRule vulnerability CVE-2022-34651

Security Advisory Description When an LTM Client or Server SSL profile with TLS 1.3 enabled is configured on a virtual server, along with an iRule that calls HTTP::respond, undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. CVE-2022-34651 Impact Traffic is disrupt...

K16090693: Apache HTTP server vulnerability CVE-2021-44224

Security Advisory Description A crafted URI sent to httpd configured as a forward proxy ProxyRequests on can cause a crash NULL pointer dereference or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint...

K21344224: Lazy FP state restore vulnerability CVE-2018-3665

Security Advisory Description System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. CVE-2018-3665 A Floating-Point FP state...

K28273449: Linux kernel vulnerability CVE-2018-6555

Security Advisory Description The irdasetsockopt function in net/irda/afirda.c and later in drivers/staging/irda/net/afirda.c in the Linux kernel before 4.17 allows local users to cause a denial of service iasobject use-after-free and system crash or possibly have unspecified other impact via an...

K30272432: RubyGems vulnerability CVE-2021-41817

Security Advisory Description Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS regular expression Denial of Service via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. CVE-2021-41817 Impact There is no impact; F5 products are not affected by this vulnerability...