K11009429: MySQL vulnerabilities CVE-2018-3170, CVE-2018-3171, CVE-2018-3173, CVE-2018-3174, and CVE-2018-3182

Security Advisory Description CVE-2018-3170 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: DDL. Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols...

K03151140: ImageMagick vulnerability CVE-2016-3714

Security Advisory Description The 1 EPHEMERAL, 2 HTTPS, 3 MVG, 4 MSL, 5 TEXT, 6 SHOW, 7 WIN, and 8 PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick." CVE-2016-3714 Impac...

K03073656: X.Org X server vulnerability CVE-2018-14665

Security Advisory Description A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and...

K12331123: NGINX Plus and Open Source vulnerability CVE-2021-23017

Security Advisory Description An issue in NGINX resolver may allow an attacker who is able to forge UDP packets from the specified DNS server to cause a 1-byte memory overwrite, resulting in a worker process crash or other unspecified impact. CVE-2021-23017 Impact A remote attacker can cause a...

K12234501: BIG-IP virtual server vulnerability CVE-2020-5883

Security Advisory Description When a virtual server is configured with HTTP explicit proxy and has an attached HTTPPROXYREQUEST iRule, POST requests sent to the virtual server cause an xdata memory leak. CVE-2020-5883 Impact The BIG-IP system may become vulnerable to conditions that result when i...

K08250500: Nginx vulnerability CVE-2016-4450

Security Advisory Description os/unix/ngxfiles.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service NULL pointer dereference and worker process crash via a crafted request, involving writing a client request body to a temporary file. CVE-2016-4450...

K93683207: Apache vulnerability CVE-2018-1333

Security Advisory Description By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33. CVE-2018-1333 Impact There is no impact; F5...

K99123750: BIG-IP Stream profile vulnerability CVE-2022-28701

Security Advisory Description When the stream profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.CVE-2022-28701 Impact System performance can degrade until the Traffic Management Microkernel TMM process is either forced to restart ...

K95463126: OpenSSL vulnerabilities CVE-2016-0703 and CVE-2016-0704

Security Advisory Description CVE-2016-0703 The getclientmasterkey function in s2srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, whic...

K65043534: Multiple INTEL BIOS vulnerabilities

Security Advisory Description CVE-2017-5705 Multiple buffer overflows in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code. CVE-2017-5706 Multiple buffer overflows in kernel in Intel Server Platfo...

K58149033: Critical vulnerability in Apple iOS WebKit browser components can impact users of the BIG-IP APM F5 Access client

Security Advisory Description F5 Access is the SSL Virtual Private Network VPN client for BIG-IP APM systems. It is available for both desktop and mobile platforms in their respective app stores. For Android and Apple devices, F5 Access utilizes the operating system’s web browser WebKit to allow...

K49549213: Advanced WAF and BIG-IP ASM brute force mitigation may fail when receiving a specially crafted request

Security Advisory Description F5 Advanced Web Application Firewall WAF and BIG-IP ASM brute force mitigation may fail. This issue occurs when all of the following conditions are met: A security policy is configured with a login page using basic authentication as its authentication type. The...

K42534513: Multiple PeopleSoft Enterprise PeopleTools vulnerabilities

Security Advisory Description CVE-2018-3129 Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products subcomponent: Portal. Supported versions that are affected are 8.55, 8.56 and 8.57. Easily exploitable vulnerability allows unauthenticated attacker with...

K37130415: BIG-IQ Grafana vulnerability CVE-2020-5868

Security Advisory Description A remote access vulnerability has been discovered that may allow a remote user to run shell commands on affected systems using HTTP requests to the BIG-IQ user interface. CVE-2020-5868 Impact A remote attacker may be able to leverage the Grafana component to run loca...

K37046163: Kernel vulnerability CVE-2016-6480

Security Advisory Description Race condition in the ioctlsendfib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service out-of-bounds access or system crash by changing a certain size value, aka a "double fetch" vulnerability...

K15261: Apache Struts vulnerability CVE-2014-0112

Security Advisory Description ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. CVE-2014-0112 Impact None. F5 products do...

K15262: Apache Struts vulnerability CVE-2014-0113

Security Advisory Description CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request...

K15274: TCP reassembly vulnerability CVE-2014-3000

Security Advisory Description The TCP reassembly function in the inet module in FreeBSD 8.3 before p16, 8.4 before p9, 9.1 before p12, 9.2 before p5, and 10.0 before p2 allows remote attackers to cause a denial of service undefined memory access and system crash or possibly read system memory via...

K14712: The BIG-IP APM access policy logout page may be vulnerable to XSS cookie tampering CVE-2013-5976

Security Advisory Description Description The BIG-IP APM access policy logout page may be vulnerable to cross-site scripting XSS. Impact XSS protection in the BIG-IP APM access policy logout page may be insufficient. Security Advisory Status F5 Product Development tracked this vulnerability as ID...

K11830089: BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2022-41617

Security Advisory Description When the F5 BIG-IP Advanced WAF or BIG-IP ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iControl REST interface. CVE-2022-41617 Impact On systems deployed in Standard or Appliance mode, this vulnerability may all...

K10366: BIND vulnerability - CVE-2009-0696

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of F5...

K95434410: TMM vulnerability CVE-2019-6629

Security Advisory Description Undisclosed SSL traffic to a virtual server configured with a Client SSL profile may cause TMM to fail and restart. The Client SSL profile must have session tickets enabled and use DHE cipher suites to be affected. This only impacts the data plane, there is no impact...

K54562183: BIG-IP PEM vulnerability CVE-2018-5503

Security Advisory Description TMM may restart when processing a specifically crafted page through a virtual server with an associated PEM policy that has content insertion as an action. CVE-2018-5503 Impact An attacker may be able to cause a remote denial of service DoS. Security Advisory Status ...

K4256: RADIUS integer overflow vulnerability CAN-2005-0108

Security Advisory Description Apache modauthradius 1.5.4 and libpam-radius-auth allow remote malicious RADIUS servers to cause a denial of service crash via a RADIUSREPLYMESSAGE with a RADIUS attribute length of 1, which leads to a memcpy operation with a -1 length argument. Note: Versions that a...

K44611310: MySQL vulnerability CVE-2015-0411

Security Advisory Description Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption. CVE-2015-0411 Impact Through...

K17597093: 389-ds-base vulnerability CVE-2017-15135

Security Advisory Description It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0.3 did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the...

K16480: Multiple unzip vulnerabilities CVE-2014-8139, CVE-2014-8140, and CVE-2014-8141

Security Advisory Description CVE-2014-8139 A buffer overflow flaw was found in the way unzip computed the CRC32 checksum of certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option. CVE-2014-8140 An integer...

K15189: Apache Commons FileUpload vulnerability CVE-2014-0050

Security Advisory Description MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service infinite loop and CPU consumption via a crafted Content-Type header that bypasses a loop's...

K15154: NTP vulnerability CVE-2013-5211

Security Advisory Description The monlist feature in ntprequest.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service traffic amplification via forged 1 REQMONGETLIST or 2 REQMONGETLIST1 requests, as exploited in the wild in December 2013. CVE-2013-5211 Impact A...

K15155: OpenSSH vulnerability CVE-2007-3102

Security Advisory Description Unspecified vulnerability in the linuxauditrecordevent function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. CVE-2007-3102 Impact None. F5 products...

K15150: cURL and libcurl vulnerability CVE-2013-4545

Security Advisory Description cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification CURLOPTSSLVERIFYHOST when the digital signature verification CURLOPTSSLVERIFYPEER is disabled, which allows man-in-the-middle attackers to spo...

K15151: pyOpenSSL vulnerability CVE-2013-4314

Security Advisory Description The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate...

K15147: OpenSSL vulnerability CVE-2013-6449

Security Advisory Description The sslgetalgorithm2 function in ssl/s3lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service daemon crash via crafted traffic from a TLS 1.2 client. CVE-2013-6449...

K15152: Ruby vulnerability CVE-2013-4164

Security Advisory Description Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a string that is...

K02694732: BIG-IP Advanced WAF and ASM bd vulnerability CVE-2022-41691

Security Advisory Description When an F5 BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. CVE-2022-41691 Impact Traffic is disrupted while the bd process restarts. This vulnerability allows a remote...

K66544153: jQuery vulnerability CVE-2020-11023

Security Advisory Description In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute untrusted code. This probl...

K69488451: Multiple QEMU vulnerabilities CVE-2020-13791, CVE-2020-13800, CVE-2020-15469, CVE-2020-15859, and CVE-2020-15863

Security Advisory Description CVE-2020-13791 hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space. CVE-2020-13800 ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite...

K65397301: iRules RESOLVER::summarize memory leak vulnerability CVE-2021-23049

Security Advisory Description When the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel TMM memory utilization resulting in an out-of-memory condition and a denial-of-service DoS. CVE-2021-23049 Impact...

K64462543: NodeJS vulnerability CVE-2015-2927

Security Advisory Description node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service bandwidth consumption. CVE-2015-2927 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluate...

K70746705: Multiple NAME:WRECK vulnerabilities

Security Advisory Description CVE-2020-7461 In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient8 fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap...

K6075: Cross-Site Scripting Vulnerability - Secunia Advisory SA19337

Security Advisory Description Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5...

K61420264: Linux kernel vulnerability CVE-2015-8830

Security Advisory Description Integer overflow in the aiosetupsinglevector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701...

K63025104: NodeJS vulnerability CVE-2018-7160

Security Advisory Description The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network acces...

K53854428: iControl SOAP vulnerability CVE-2021-23026

Security Advisory Description BIG-IP and BIG-IQ are vulnerable to cross-site request forgery CSRF attacks through iControl SOAP. CVE-2021-23026 Impact An attacker may trick authenticated users into performing critical actions. This vulnerability can only be exploited through the control plane and...

K5873: PAM conversation stack corruption in OpenSSH - CVE-2003-0787

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F...

K53756439: MySQL vulnerabilities CVE-2018-2767, CVE-2018-3063, CVE-2017-3653, and CVE-2018-3066

Security Advisory Description CVE-2018-2767 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Security: Encryption. Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low...

K58935003: F5 Container Connector vulnerability CVE-2018-5543

Security Advisory Description The F5 BIG-IP Controller for Kubernetes k8s-bigip-crtl passes BIG-IP username and password as command line parameters, which may lead to disclosure of the credentials used by the container. CVE-2018-5543 Impact F5 BIG-IP Controller for Kubernetes This vulnerability...

K49033153: Apache Syncope vulnerabilities CVE-2018-1321 and CVE-2018-1322

Security Advisory Description CVE-2018-1321 An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations XSLT to perform malicious operations,...

K41101201: Linux kernel vulnerability CVE-2017-18203

Security Advisory Description The dmgetfromkobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service BUG by leveraging a race condition with dmdestroy during creation and removal of DM devices. CVE-2017-18203 Impact Traffix SDC This...

K42465020: BIG-IP URL classification vulnerability CVE-2019-6610

Security Advisory Description The BIG-IP system is vulnerable to a denial-of-service DoS attack when performing URL classification. CVE-2019-6610 Impact A remote attacker may be able to disrupt services by causing the Traffic Management Microkernel TMM to restart. There is no exposure in the...