K34732584: FreeType vulnerability CVE-2015-9381

Security Advisory Description FreeType before 2.6.1 has a heap-based buffer over-read in T1GetPrivateDict in type1/t1parse.c. CVE-2015-9381 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently...

K28622040: Python vulnerability CVE-2019-9948

Security Advisory Description urllib in Python 2.x through 2.7.16 supports the localfile: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen'localfile:///etc/passwd' call. CVE-2019-9948 Impac...

K27110515: Open SSL vulnerability CVE-2001-1141

Security Advisory Description The Pseudo-Random Number Generator PRNG in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers. CVE-2001-1141...

K23630542: MySQL vulnerabilities CVE-2017-3636, CVE-2018-3081, CVE-2018-3174, CVE-2021-2144, and CVE-2020-2812

Security Advisory Description CVE-2017-3636 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Client programs. Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to...

K16764: PHP vulnerability CVE-2015-4022

Security Advisory Description Integer overflow in the ftpgenlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. CVE-2015-40...

K14632915: TMM vulnerability CVE-2019-6603

Security Advisory Description Malformed TCP packets sent to a self IP address or a FastL4 virtual server may cause an interruption of service. The control plane is not exposed to this issue. This issue impacts the data plane virtual servers and self IPs. CVE-2019-6603 Impact This vulnerability...

K14649763: Overview of F5 vulnerabilities (August 2022)

Security Advisory Description On August 3, 2022, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated...

K15320518: FasterXML jackson-databind vulnerability CVE-2020-8840

Security Advisory Description In FasterXML jackson-databind 2.0.0 through 2.9.10.2, due to the lack of certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter , attackers can exploit JNDI injections to remotely execute code. FasterXML Jackson is a...

K06440657: BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Security Advisory Description The upload functionality in BIG-IP Advanced WAF and ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint. CVE-2021-23001 Impact An authenticated malicious user can upload malicious files to use in...

K09121542: BIG-IP SSL/TLS vulnerability CVE-2021-22981

Security Advisory Description The original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret EMS extension defined in RFC 7627. TLS connections that do not use EMS are vulnerable to man-in-the-middle attacks during renegotiation...

K05770600: Linux libuser vulnerability CVE-2015-3246

Security Advisory Description libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service inconsistent file state by causing an error during the modification. NOTE:...

K11522001: Apache vulnerabilities CVE-2018-1313, CVE-2018-1338, CVE-2018-1339, CVE-2018-1335, and CVE-2018-8003

Security Advisory Description CVE-2018-1313 In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java...

K88474783: BIG-IP DoS profile vulnerability CVE-2020-5879

Security Advisory Description Under certain configurations, the BIG-IP system sends data plane traffic to back-end servers unencrypted, even when a Server SSL profile is applied. CVE-2020-5879 Impact The affected system sends some requests to the back-end server without encryption, possibly leaki...

K87502622: iControl REST vulnerability CVE-2021-22978

Security Advisory Description Undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role. CVE-2021-22978 Impact An attacker may exploit this vulnerability using a crafted URL to a...

K99038439: NodeJS vulnerability CVE-2012-2330

Security Advisory Description The Update method in src/nodehttpparser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information request header contents and possibly spoof HTTP headers via a zero...

K89095152: PHP vulnerability CVE-2018-17082

Security Advisory Description The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the phphandler function in...

K87235248: ImageMagick vulnerability CVE-2020-29599

Security Advisory Description ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject...

K80945213: BIG-IP ASM and F5 Advanced WAF attack signature check failure security exposure

Security Advisory Description A BIG-IP ASM and F5 Advanced Web Application Firewall Advanced WAF attack signature check may fail to detect and block certain GET requests when cross-site request forgery CSRF protection is enabled. Impact Attackers may be able to bypass BIG-IP ASM and Advanced WAF...

K79428827: BIG-IP APM OCSP vulnerability CVE-2021-23047

Security Advisory Description When BIG-IP APM performs Online Certificate Status Protocol OCSP verification of a certificate that contains Authority Information Access AIA, undisclosed requests may cause an increase in memory use. CVE-2021-23047 Impact This vulnerability allows a remote attacker ...

K04912972: NTP vulnerability CVE-2018-7185

Security Advisory Description The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service disruption by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim...

K64208870: TMM vulnerability CVE-2018-15319

Security Advisory Description Malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with the non-default "normalize URI" configuration options used in iRules and/or BIG-IP LTM policies. CVE-2018-15319 Impact An attacker may be able to...

K01074825: libcroco vulnerability CVE-2020-12825

Security Advisory Description libcroco through 0.6.13 has excessive recursion in crparserparseanycore in cr-parser.c, leading to stack consumption. CVE-2020-12825 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has...

K5790: Apache JServ Protocol vulnerability JVN#79314822

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F...

K59145983: Intel CSME and SPS vulnerability CVE-2019-0090

Security Advisory Description Insufficient access control vulnerability in subsystem for IntelR CSME before version 12.0.35, IntelR SPS before version SPSE305.00.04.027.0 may allow unauthenticated user to potentially enable escalation of privilege via physical access. CVE-2019-0090 Impact Traffix...

K59563964: Apache Log4j Remote Code Execution vulnerability CVE-2022-23302

Security Advisory Description JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a...

K47306214: GNU Libmicrohttpd vulnerability CVE-2021-3466

Security Advisory Description A flaw was found in libmicrohttpd in versions before 0.9.71. A missing bounds check in the postprocessurlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from...

K51470205: Intel DAL vulnerability CVE-2019-0170

Security Advisory Description Buffer overflow in subsystem in IntelR DAL before version 12.0.35 may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2019-0170 Impact Traffix SDC An attacker with local access to the system can exploit this vulnerability...

K46337613: NodeJS vulnerability CVE-2015-8315

Security Advisory Description The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service CPU consumption via a long version string, aka a "regular expression denial of service ReDoS. CVE-2015-8315 Impact There is no impact; F5 products are not affected by this...

K45429077: Exiv2 vulnerability CVE-2019-13114

Security Advisory Description http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service crash due to a NULL pointer dereference by returning a crafted response that lacks a space character. CVE-2019-13114 Impact There is no impact; F5 products are not affected by...

K51674118: Linux kernel vulnerability CVE-2019-11599

Security Advisory Description The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have...

K40625021: BIG-IP APM portal access vulnerability CVE-2018-15310

Security Advisory Description A vulnerability in BIG-IP APM portal access discloses the BIG-IP software version in rewritten pages. CVE-2018-15310 Impact The BIG-IP version may be exposed to users with valid BIG-IP APM portal access sessions. Security Advisory Status F5 Product Development has...

K42454663: PHP vulnerability CVE-2015-8874

Security Advisory Description Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.CVE-2015-8874 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status ...

K44110411: BIG-IP SIP ALG vulnerability CVE-2022-23025

Security Advisory Description When a SIP ALG profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. CVE-2022-23025 Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows an unauthenticated remot...

K35815741: Intel CSME and TXE vulnerability CVE-2019-0086

Security Advisory Description Insufficient access control vulnerability in Dynamic Application Loader software for IntelR CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and IntelR TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privilege via local...

K25206238: Apache Commons FileUpload vulnerability CVE-2016-1000031

Security Advisory Description Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution CVE-2016-1000031 Impact Remote attackers can run arbitrary code on the vulnerable device. Security Advisory Status F5 Product Development has assigned CPF-24841, CPF-24842, an...

K30105730: Intel SPS vulnerability CVE-2019-0099

Security Advisory Description Insufficient access control vulnerability in subsystem in IntelR SPS before version SPSE305.00.04.027.0 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. CVE-2019-0099 Impact Traffix SDC An attacker with physical...

K21561554: Linux kernel vulnerability security/apparmor CVE-2019-18814

Security Advisory Description An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aalabelparse fails in aaauditruleinitin security/apparmor/audit.c. CVE-2019-18814 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisor...

K18570111: BIG-IP ASM and Advanced WAF WebSocket vulnerability CVE-2021-23010

Security Advisory Description When the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON content profile in the ASM security policy, the BIG-IP ASM bd process may produce a core file. CVE-2021-23010 Impact When this vulnerability is exploited, t...

K17127: PHP vulnerability CVE-2014-9709

Security Advisory Description The GetCode function in gdgifin.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service buffer over-read and application crash via a crafted GIF image that is improperly handled by the...

K18252740: libarchive vulnerability CVE-2017-14503

Security Advisory Description libarchive 3.3.2 suffers from an out-of-bounds read within lhareaddatanone in archivereadsupportformatlha.c when extracting a specially crafted lha archive, related to lhacrc16. CVE-2017-14503 Impact There is no impact; F5 products are not affected by this...

K17126: Apache Struts vulnerability CVE-2014-7809

Security Advisory Description Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable values, which allows remote attackers to bypass the CSRF protection mechanism. CVE-2014-7809 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5...

K17125: Multiple Java vulnerabilities

Security Advisory Description CVE-2015-0458 Unspecified vulnerability in in Oracle Java SE 6u91, 7u76, and 8u40 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2015-0459 Unspecified vulnerability in Oracle Java SE 5.0u8...

K17119: MySQL vulnerability CVE-2015-2576

Security Advisory Description Unspecified vulnerability in the MySQL Utilities component in Oracle MySQL 1.5.1 and earlier, when running on Windows, allows local users to affect integrity via unknown vectors related to Installation. CVE-2015-2576 Impact There is no impact; F5 products are not...

K17124: Linux kernel vulnerability CVE-2015-1465

Security Advisory Description The IPv4 implementation in the Linux kernel before 3.18.8 does not properly consider the length of the Read-Copy Update RCU grace period for redirecting lookups in the absence of caching, which allows remote attackers to cause a denial of service memory consumption o...

K16708: cURL and libcurl vulnerabilities CVE-2015-3144 and CVE-2015-3145

Security Advisory Description CVE-2015-3144 The fixhostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service out-of-bounds read or write and crash or possibly have other unspecified impact via a...

K16707: cURL and libcurl vulnerability CVE-2015-3148

Security Advisory Description cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. CVE-2015-3148 Impact Remote attackers may be able to re-use Negotiate connections as other user...

K16729408: D-Bus vulnerability CVE-2020-12049

Security Advisory Description An issue was discovered in dbus = 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system...

K14631834: NGINX Controller vulnerability CVE-2020-5863

Security Advisory Description In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other...

K14335949: Intel processors vulnerability CVE-2022-24436

Security Advisory Description Observable behavioral in power management throttling for some IntelR Processors may allow an authenticated user to potentially enable information disclosure via network access. CVE-2022-24436 also known as hertzbleed Impact Successful exploitation of this vulnerabili...

K13434228: Apache Struts vulnerability CVE-2012-0392

Security Advisory Description The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method...