6294 matches found
K30272432: RubyGems vulnerability CVE-2021-41817
Security Advisory Description Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS regular expression Denial of Service via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. CVE-2021-41817 Impact There is no impact; F5 products are not affected by this vulnerability...
K29923912: BIG-IP Configuration utility vulnerability CVE-2020-5916
Security Advisory Description The Certificate Administrator user role and higher privileged roles can perform arbitrary file reads outside of the web root directory. CVE-2020-5916 Impact Requests to the Configuration utility can result in arbitrary file reads outside of the web root directory...
K57418558: Linux kernel vulnerability CVE-2019-15916
Security Advisory Description An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in registerqueuekobjects in net/core/net-sysfs.c, which will cause denial of service. CVE-2019-15916 Impact An attacker with local access may be able to cause a denial of service DoS...
K55834441: Netty vulnerability CVE-2021-21295
Security Advisory Description Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty io.netty:netty-codec-http2 before version 4.1.60.Final there is a vulnerability that enables...
K44104514: Apache Storm vulnerability CVE-2021-40865
Security Advisory Description An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution RCE. Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to...
K20224417: OCSP responder vulnerability CVE-2018-8019
Security Advisory Description When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with...
K20541896: iControl REST and tmsh vulnerability CVE-2019-6621
Security Advisory Description On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin...
K20001553: Libgcrypt vulnerability CVE-2018-0495
Security Advisory Description Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the gcryeccecdsasign function in cipher/ecc-ecdsa.c, aka the Return Of the...
K20445457: iControl REST vulnerability CVE-2019-6620
Security Advisory Description Undisclosed iControl REST worker vulnerable to command injection for an Administrator user. CVE-2019-6620 Impact BIG-IP and BIG-IQ This vulnerability may bypass Appliance mode security by allowing the execution of arbitrary bash commands. In non-Appliance mode...
K04280042: BIG-IP ASM vulnerability CVE-2019-6650
Security Advisory Description F5 BIG-IP ASM may expose sensitive information and allow the system configuration to be modified when using non-default settings. CVE-2019-6650 Impact The vulnerability is only present on multi-bladed systems VIPRION with BIG-IP ASM provisioned, on the following...
K05123525: ConfigSync vulnerability CVE-2019-6649
Security Advisory Description F5 BIG-IP and Enterprise Manager may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings. CVE-2019-6649 Impact The vulnerability is only present when the system is configured for high availability ...
K05380109: Bootstrap vulnerability CVE-2018-14041
Security Advisory Description In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. CVE-2018-14041 Impact An attacker may exploit this vulnerability to perform a cross-site scripting XSS attack. Security Advisory Status F5 Product Development has assigned ID 767373...
K06430416: Zend Framework vulnerability CVE-2015-7695
Security Advisory Description The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query. CVE-2015-7695 Impact There is no impact; F5 products are not affected by this...
K01225001: Apache Tomcat vulnerability CVE-2017-5664
Security Advisory Description The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to...
K01413496: vCMP vulnerability CVE-2019-6632
Security Advisory Description Under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness. The attack prerequisite is direct access to encrypted configuration and/or UCS files...
K10631153: Apache Solr vulnerability CVE-2017-12629
Security Advisory Description Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to...
K11435435: PHP vulnerability CVE-2020-7070
Security Advisory Description In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like Host confused with cookies that decode to such prefix, thu...
K97324400: OpenSSL vulnerability CVE-2019-1563
Security Advisory Description In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypt...
K05043394: TMM vulnerability CVE-2021-23036
Security Advisory Description When a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. CVE-2021-23036 Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows a remot...
K98528405: BIG-IP BIND vulnerability CVE-2018-5740
Security Advisory Description A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named. CVE-2018-5740 Impact A flaw in a rarely used BIND feature can cause an assertion failure in named. As a result, the bind process restarts. Security Advisory Status F5 Product...
K94778122: tcpdump vulnerabilities CVE-2016-7985, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, and CVE-2016-8575
Security Advisory Description CVE-2016-7985 The CALM FAST parser in tcpdump before 4.9.0 has a buffer overflow in print-calm-fast.c:calmfastprint. CVE-2016-7992 The Classical IP over ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-cip.c:cipifprint. CVE-2016-7993 A bug in...
K94010578: tcpdump vulnerabilities CVE-2016-7940, CVE-2016-7973, CVE-2016-7974, CVE-2016-7983, and CVE-2016-7984
Security Advisory Description CVE-2016-7940 The STP parser in tcpdump before 4.9.0 has a buffer overflow in print-stp.c, multiple functions. CVE-2016-7973 The AppleTalk parser in tcpdump before 4.9.0 has a buffer overflow in print-atalk.c, multiple functions. CVE-2016-7974 The IP parser in tcpdum...
K77326807: BIND vulnerability CVE-2021-25219
Security Advisory Description In BIND 9.3.0 - 9.11.35, 9.12.0 - 9.16.21, and versions 9.9.3-S1 - 9.11.35-S1 and 9.16.8-S1 - 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 - 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers...
K50046200: BIG-IP TMM vulnerability CVE-2020-5854
Security Advisory Description The Traffic Management Microkernel TMM process may produce a core file when using the connector profile and a specific sequence of connections are received. CVE-2020-5854 Impact The BIG-IP system temporarily fails to process traffic as it recovers from a TMM restart,...
K58729485: Linux kernel vulnerability CVE-2018-14656
Security Advisory Description A missing address check in the callers of the showopcodes in the Linux kernel allows an attacker to dump the kernel memory at an arbitrary kernel address into the dmesg log. CVE-2018-14656 Impact There is no impact; F5 products are not affected by this vulnerability...
K57690705: Kernel vulnerability CVE-2018-11232
Security Advisory Description The etmsetupaux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service panic because a parameter is incorrectly used as a local variable. CVE-2018-11232 Impact There is no impact; F...
K68692291: Linux kernel vulnerability CVE-2018-7754
Security Advisory Description The aoediskdebugfsshow function in drivers/block/aoe/aoeblk.c in the Linux kernel through 4.16.4rc4 allows local users to obtain sensitive address information by reading "ffree: " lines in a debugfs file. CVE-2018-7754 Impact There is no impact; F5 products are not...
K54200228: BIG-IP iRules vulnerability CVE-2020-5877
Security Advisory Description Malformed input to the DATAGRAM::tcp iRules command within a FLOWINIT event may lead to a denial of service. CVE-2020-5877 Impact Remote attackers may be able to perform a denial-of-service DoS attack on the BIG-IP system. Security Advisory Status F5 Product...
K38315305: FreeType vulnerability CVE-2015-9290
Security Advisory Description In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1GetPrivateDict where there is no check that the new values of cur and limit are sensible before going to Again. CVE-2015-9290 Impact A local unprivileged attacker can perform a...
K37337112: Apache Tomcat vulnerability CVE-2017-6056
Security Advisory Description It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816...
K31997425: tcpdump vulnerabilities CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, and CVE-2017-5486
Security Advisory Description CVE-2017-5482 The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933print, a different vulnerability than CVE-2016-8575. CVE-2017-5483 The SNMP parser in tcpdump before 4.9.0 has a buffer overflow in print-snmp.c:asn1parse. CVE-2017-5484 Th...
K20087443: BIG-IP APM VPN vulnerability CVE-2017-6129
Security Advisory Description In F5 BIG-IP APM software version 13.0.0 and 12.1.2, in some circumstances, APM tunneled VPN flows can cause a VPN/PPP connflow to be prematurely freed or cause TMM to stop responding with a "flow not in use" assertion. An attacker may be able to disrupt traffic or...
K43310520: BIG-IP TMUI vulnerability CVE-2020-5940
Security Advisory Description A stored cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface TMUI, also known as the BIG-IP Configuration utility. CVE-2020-5940 Impact An authenticated attacker may be able to store JavaScript, which i...
K82112489: GNOME GLib vulnerability CVE-2021-27219
Security Advisory Description An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function gbytesnew has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption. CVE-2021-27219...
K73422160: OpenSSL vulnerability CVE-2019-1547
Security Advisory Description Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters instead of using a named curve. In those cases it is possible th...
K64348180: MySQL vulnerabilities CVE-2022-21517, CVE-2022-21519, CVE-2022-21522, CVE-2022-21525, and CVE-2022-21526
Security Advisory Description CVE-2022-21517 Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...
K69422435: BIG-IQ HA vulnerability CVE-2020-5870
Security Advisory Description BIG-IQ high availability HA synchronization mechanisms do not use any form of authentication for connecting to the peer. CVE-2020-5870 Impact An attacker on an adjacent network may be able to establish a connection to the BIG-IQ HA synchronization with no...
K41704442: Reflected XSS vulnerability in an undisclosed Configuration utility page CVE-2018-15315
Security Advisory Description A reflected Cross-Site Scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user. CVE-2018-15315 Impact BIG-IP A remote unauthenticated...
K44501040: BIND vulnerability CVE-2022-2906
Security Advisory Description An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service. CVE-2022-2906 Impact There is ...
K40427215: BIND vulnerability CVE-2022-2881
Security Advisory Description The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process. CVE-2022-2881 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development ha...
K43945001: F5 TMM vulnerability CVE-2017-6147
Security Advisory Description An undisclosed type of responses may cause TMM to restart, causing an interruption of service when "SSL Forward Proxy" setting is enabled in both the Client and Server SSL profiles assigned to a BIG-IP Virtual Server. CVE-2017-6147 Impact If the SSL Forward Proxy...
K17529: NTP vulnerability CVE-2015-7703
Security Advisory Description The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address that is allowed to send configuration requests, and with knowledge of...
K17517: NTP vulnerability CVE-2015-7701
Security Advisory Description Memory leak in the CRYPTOASSOC function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service memory consumption. CVE-2015-7701 Impact An attacker could send packets tontpd that may, after several days of...
K28855111: BIG-IQ HA vulnerability CVE-2020-5869
Security Advisory Description BIG-IQ high availability HA synchronization is not secure by TLS and may allow on-path attackers to read / modify confidential data in transit. CVE-2020-5869 Impact Certain BIG-IQ data may be compromised when the vulnerability is exploited on a BIG-IQ HA configuratio...
K05403841: BIG-IP and BIG-IQ improvements disclosed by Rapid7
Security Advisory Description BIG-IP and BIG-IQ improvements disclosed by Rapid7 Important : F5 recognizes these issues are security related. However, there is no known way to exploit these issues without first bypassing existing security controls using an unknown or undiscovered mechanism,...
K01112063: NGINX ngx_http_hls_module vulnerability CVE-2022-41743
Security Advisory Description NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngxhttphlsmodule that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or potential other impact using a specially crafted audio or video file. The issu...
K02692210: BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2017-6157
Security Advisory Description BIG-IP virtual servers with a configuration using the HTTP Explicit Proxy functionality and/or SOCKS profile are vulnerable to an unauthenticated, remote attack that allows modification of BIG-IP system configuration, extraction of sensitive system files, and/or...
K01051452: NGINX Ingress Controller vulnerability CVE-2021-23055
Security Advisory Description The command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. CVE-2021-23055 Impact An attacker with privileges to deploy Ingress resources can inject configuration snippets that may allow them to gain access ...
K17263: OpenSSH vulnerabilities CVE-2015-6563 and CVE-2015-6564
Security Advisory Description CVE-2015-6563 The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITORREQPAMINITCTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction...
K05016441: Oracle Java vulnerability CVE-2016-3508
Security Advisory Description Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3500. CVE-2016-3508 Impact An attacker...