K10754336: MySQL vulnerabilities CVE-2019-2808, CVE-2019-2810, CVE-2019-2811, CVE-2019-2812, and CVE-2019-2814

Security Advisory Description CVE-2019-2808 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Optimizer. Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple...

K11220361: LibTIFF vulnerability CVE-2015-1547

Security Advisory Description The NeXTDecode function in tifnext.c in LibTIFF allows remote attackers to cause a denial of service uninitialized memory access via a crafted TIFF image, as demonstrated by libtiff5.tif. CVE-2015-1547 Impact This vulnerability allows a remote attacker to cause a...

K09417637: Samba vulnerability CVE-2015-3223

Security Advisory Description The ldbwildcardcompare function in ldbmatch.c in ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles certain zero values, which allows remote attackers to cause a denial of service infini...

K66782293: TMM vulnerability CVE-2021-23039

Security Advisory Description When IPSec is configured on a BIG-IP system, undisclosed requests from an authorized remote IPSec peer, which already has a negotiated Security Association, can cause the Traffic Management Microkernel TMM to terminate. CVE-2021-23039 Impact Traffic is disrupted whil...

K26430555: MySQL vulnerability CVE-2016-5625

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Packaging. CVE-2016-5625 Impact There is no impact; F5 products are not affected by this vulnerabilit...

K09092524: Binutils vulnerability CVE-2019-9074

Security Advisory Description An issue was discovered in the Binary File Descriptor BFD library aka libbfd, as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfdgetl32 in libbfd.c, when called from pex64getruntimefunction in pei-x8664.c. CVE-2019-9074 Impact...

K50974556: Overview of F5 vulnerabilities (August 2021)

Security Advisory Description On August 24, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated...

K44453423: IP-in-IP Packet Processing vulnerability CVE-2020-10136

Security Advisory Description Multiple products that implement the IP Encapsulation within IP standard RFC 2003, STD 1 decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface an...

K59591931: Drupal vulnerability CVE-2018-7602

Security Advisory Description A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to...

K54095660: Linux kernel vulnerability CVE-2016-9555

Security Advisory Description The sctpsfootb function in net/sctp/smstatefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service out-of-bounds slab access or possibly have unspecified other impact via...

K05415626: Apache HTTPD vulnerability CVE-2017-7659

Security Advisory Description A maliciously constructed HTTP/2 request could cause modhttp2 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process. CVE-2017-7659 Impact A remote attacker can use a maliciously crafted HTTP/2 request to cause an abnormal termination on the Apache...

K94325657: BIG-IP restjavad vulnerability CVE-2020-5880

Security Advisory Description The restjavad process may expose a way for attackers to upload arbitrary files on the BIG-IP system, bypassing the authorization system. Resulting error messages may also reveal internal paths of the server. CVE-2020-5880 Impact A remote attacker may be able to fill...

K03251240: Multiple Apache OFBiz vulnerabilities CVE-2021-29200, CVE-2021-30128

Security Advisory Description CVE-2021-29200 Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack CVE-2021-30128 Apache OFBiz has unsafe deserialization prior to 17.12.07 version Impact There is no impact; F5 products are not affected...

K02884135: Binutils vulnerability CVE-2019-9071

Security Advisory Description An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in dcounttemplatesscopes in cp-demangle.c after many recursive calls. CVE-2019-9071 Impact There is no impact; F5 products are not affected by this...

K84947349: OpenJDK vulnerabilities CVE-2015-2601, CVE-2015-2621, CVE-2015-2632, CVE-2015-4748, and CVE-2015-4749

Security Advisory Description CVE-2015-2601 Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, JRockit R28.3.6, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE. CVE-2015-2621 Unspecified vulnerability in Oracle Java SE...

K85307687: cURL and libcurl vulnerabilities CVE-2014-3613, CVE-2014-3707, and CVE-2014-8150

Security Advisory Description CVE-2014-3613 cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site...

K71581599: libgd vulnerability CVE-2016-6161

Security Advisory Description The output function in gdgifout.c in the GD Graphics Library aka libgd allows remote attackers to cause a denial of service out-of-bounds read via a crafted image. CVE-2016-6161 Impact When using PHP to generate GIF images, it is possible for a specially crafted GD2...

K54308010: PHP vulnerability CVE-2016-7124

Security Advisory Description ext/standard/varunserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a 1 destruct...

K44500413: Linux kernel vulnerability CVE-2016-2069

Security Advisory Description Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU. CVE-2016-2069 Impact There is no impact; F5 products are not affected by this vulnerability...

K37012655: Linux kernel vulnerability CVE-2016-7042

Security Advisory Description The prockeysshow function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection gcc stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service stack...

K52114338: systemd vulnerability CVE-2017-9445

Security Advisory Description In systemd through 233, certain sizes passed to dnspacketnew in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating ...

K53590702: BIG-IP engineering hotfix TMM vulnerability CVE-2020-5852

Security Advisory Description Undisclosed traffic patterns received may cause a disruption of service to the Traffic Management Microkernel TMM. This vulnerability affects TMM through a virtual server configured with a FastL4 profile. Traffic processing is disrupted while TMM restarts...

K36784855: Apache Tomcat vulnerability CVE-2016-0762

Security Advisory Description The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to...

K69734255: INTEL-SA-00251 - Intel NUC Firmware vulnerability CVE-2019-11094

Security Advisory Description Insufficient input validation in system firmware for Intel R NUC Kit may allow an authenticated user to potentially enable escalation of privilege, denial of service, and/or information disclosure via local access. CVE-2019-11094 Impact There is no impact; F5 product...

K41103561: libxml2 vulnerability CVE-2016-4448

Security Advisory Description Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. CVE-2016-4448 Impact Allows an attacker unauthorized disclosure of information, unauthorized modification, and disruption ...

K33245306: INTEL-SA-00244 - Intel Quartus Prime Software CVE-2019-0171

Security Advisory Description Improper directory permissions in the installer for IntelR QuartusR software may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2019-0171 Impact There is no impact; F5 products are not affected by this vulnerability...

K23328310: TMM vulnerability CVE-2018-15330

Security Advisory Description When a virtual server uses the inflate functionality to process a gzip bomb as a payload, the BIG-IP system will experience a fatal error and may cause the Traffic Management Microkernel TMM to produce a core file. CVE-2018-15330 Impact An attacker may be able to...

K23030550: Linux kernel vulnerability CVE-2016-8399

Security Advisory Description An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged proce...

K35232053: PHP vulnerability CVE-2016-7125

Security Advisory Description ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by obje...

K24415506: BIG-IP APM portal access reflected XSS vulnerability CVE-2020-5889

Security Advisory Description In BIG-IP APM portal access, a specially crafted HTTP request can lead to reflected XSS after the BIG-IP APM system rewrites the HTTP response from the untrusted backend server and sends it to the client. CVE-2020-5889 Impact An attacker can craft a malicious URL and...

K41827200: MySQL vulnerabilities CVE-2018-2562, CVE-2018-2573, CVE-2018-2576, CVE-2018-2583, and CVE-2018-2590

Security Advisory Description CVE-2018-2562 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server : Partition. Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.19 and prior. Easily exploitable vulnerability allows low privileged attack...

K21536299: Apache Fineract vulnerabilities CVE-2018-1289, CVE-2018-1290, and CVE-2018-1292

Security Advisory Description CVE-2018-1289 In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' and 'sortOrder' which are appended directly with SQL...

K37080719: NGINX Instance Manager vulnerability CVE-2022-35241

Security Advisory Description When NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. CVE-2022-35241 Impact System performance can degrade until system inodes become free. This vulnerability allows a remote, authenticated attacker to cause a...

K24715544: MySQL vulnerabilities CVE-2018-2591, CVE-2018-2600, CVE-2018-2612, CVE-2018-2622, and CVE-2018-2640

Security Advisory Description CVE-2018-2591 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server : Partition. Supported versions that are affected are 5.6.38 and prior and 5.7.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network...

K42142782: Linux kernel vulnerability CVE-2017-15121

Security Advisory Description A non-privileged user is able to mount a fuse filesystem on RHEL 6 or 7 and crash a system if an application punches a hole in a file that does not end aligned to a page boundary. CVE-2017-15121 Impact An attacker can exploit this vulnerability to cause a denial of...

K43030517: Linux kernel BPF vulnerability CVE-2019-7308

Security Advisory Description kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks...

K44873550: Apache Storm vulnerability CVE-2021-38294

Security Advisory Description A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution RCE prior to authentication...

K10751325: TMM vulnerability CVE-2021-23011

Security Advisory Description When the BIG-IP system is buffering packet fragments for reassembly, the Traffic Management Microkernel TMM may consume an excessive amount of resources, eventually leading to a restart and failover event. CVE-2021-23011 Impact BIG-IP The Traffic Management Microkern...

K14713331: MySQL Optimizer vulnerabilities CVE-2017-3638, CVE-2017-3642, and CVE-2017-3645

Security Advisory Description CVE-2017-3638 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Optimizer. Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple...

K07082049: NTP vulnerability CVE-2017-6462

Security Advisory Description Buffer overflow in the legacy Datum Programmable Time Server DPTS refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device. CVE-2017-6462 Impact This vulnerability allows local users ...

K02405023: Apache Brooklyn vulnerability CVE-2017-3165

Security Advisory Description In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-si...

K04327352: Multiple MySQL data manipulation language vulnerabilities

Security Advisory Description CVE-2017-3634 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: DML. Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows low privileged attacker with network acces...

K95208524: jQuery vulnerability CVE-2016-7103

Security Advisory Description Cross-site scripting XSS vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function. CVE-2016-7103 Impact This vulnerability allows a remote attacker to perform an...

K43815022: BIG-IP crypto driver vulnerability CVE-2020-5882

Security Advisory Description Under certain conditions, the Intel QuickAssist Technology QAT cryptography driver may produce a Traffic Management Microkernel TMM core file. CVE-2020-5882 Impact The BIG-IP system temporarily fails to process traffic as it recovers from TMM restarting, and systems...

K14363514: OpenSSL vulnerability CVE-2017-3736

Security Advisory Description There is a carry propagating bug in the x8664 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perfo...

K54635192: Linux kernel overlayfs vulnerability CVE-2021-3493

Security Advisory Description The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the...

K38453823: Apache vulnerability CVE-2021-31618

Security Advisory Description Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client...

K15317: Linux kernel vulnerability CVE-2014-0101

Security Advisory Description The sctpsfdo51Dce function in net/sctp/smstatefuns.c in the Linux kernel through 3.13.6 does not validate certain authenable and authcapable fields before making an sctpsfauthenticate call, which allows remote attackers to cause a denial of service NULL pointer...

K27638900: Apache Struts vulnerability CVE-2017-15707

Security Advisory Description In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. CVE-2017-15707 Impact There is no impact; F5 products are not affecte...

K54891070: Tomcat vulnerabilities CVE-2012-5885, CVE-2012-5886, and CVE-2012-5887

Security Advisory Description CVE-2012-5885 The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce aka client nonce values instead of nonce aka server nonce and nc...