K05428062: pcregrep in PCRE vulnerability CVE-2015-8393

Security Advisory Description pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client. CVE-2015-8393 Impact A local,...

K57390658: miniigd SOAP service in Realtek SDK vulnerability CVE-2014-8361

Security Advisory Description The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request. CVE-2014-8361 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product...

K31300402: Virtual Machine Manager L1 Terminal Fault vulnerability CVE-2018-3646

Security Advisory Description Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a...

K35263486: libarchive vulnerability CVE-2016-8688

Security Advisory Description The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service crash via a crafted file, which triggers an invalid read in the 1 detectform or 2 bidentry function in...

K29215970: Linux kernel vulnerability CVE-2019-10125

Security Advisory Description An issue was discovered in aiopoll in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aiopollwake if an expected event is triggered immediately e.g., by the close of a pair of pipes after the return of vfspoll, and this will cause a...

K90233102: MySQL vulnerabilities CVE-2017-10294, CVE-2017-10296, CVE-2017-10311, CVE-2017-10313, and CVE-2017-10314

Security Advisory Description CVE-2017-10294 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Optimizer. Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with netwo...

K16101409: BIG-IP AFM vulnerability CVE-2022-23028

Security Advisory Description When global AFM SYN cookie protection TCP Half Open flood vector is activated in the AFM Device Dos or DOS profile, certain types of TCP connections will fail. CVE-2022-23028 Impact This vulnerability allows a remote attacker to cause a denial-of-service DoS on the...

K56715231: TMM buffer-overflow vulnerability CVE-2021-22991

Security Advisory Description Undisclosed requests to a virtual server may be incorrectly handled by Traffic Management Microkernel TMM URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it theoretically may allow bypass of URL based access...

K64292204: OpenSSH vulnerability CVE-2016-10010

Security Advisory Description sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c. CVE-2016-10010 Impact In the default configuration,...

K33606035: OpenJDK vulnerability CVE-2020-14792

Security Advisory Description Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Hotspot. Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker wit...

K65615624: BIG-IP FastL4 TMM vulnerability CVE-2017-6166

Security Advisory Description In BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe software 12.0.0 to 12.1.1, in some cases the Traffic Management Microkernel TMM may crash when processing fragmented packets. This vulnerability affects TMM through a virtual server...

K73710094: XSS vulnerability in undisclosed page of the NGINX Swagger UI

Security Advisory Description An issue in the swagger-ui, the third-party component bundled in the NGINX Plus packages, may expose an XSS security risk. The purpose of the swagger-ui is to provide interactive documentation for the API specification supplied in a swagger YAML file and used in the...

K12109859: Mozilla NSS vulnerability CVE-2017-5461

Security Advisory Description Mozilla Network Security Services NSS before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service out-of-bounds write or possibly have unspecified other impact by leveraging...

K05342145: Linux kernel vulnerability CVE-2007-6762

Security Advisory Description In the Linux kernel before 2.6.20, there is an off-by-one bug in net/netlabel/netlabelcipsov4.c where it is possible to overflow the doidef-tags array. CVE-2007-6762 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Stat...

K73217235: pppd vulnerability CVE-2020-8597

Security Advisory Description eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eaprequest and eapresponse functions. CVE-2020-8597 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has...

K62201745: OpenSSH vulnerability CVE-2016-10012

Security Advisory Description The shared memory manager associated with pre-authentication compression in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allow local users to gain privileges by leveraging access to a sandboxed...

K23033557: Intel software vulnerabilities CVE-2020-8746, CVE-2020-8747, CVE-2020-8749, CVE-2020-8752, CVE-2020-8753

Security Advisory Description CVE-2020-8746 Integer overflow in subsystem for IntelR AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable denial of service via adjacent access. CVE-2020-8747 Out-of-bounds read in subsystem fo...

K08006936: Apache Commons Configuration vulnerability CVE-2022-33980

Security Advisory Description Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "$prefix:name", where "prefix" is used to locate an instance of...

K63131370: Linux kernel vulnerability CVE-2017-1000251

Security Advisory Description The native Bluetooth stack in the Linux Kernel BlueZ, starting at the Linux kernel version 3.3-rc1 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution i...

K60156735: MySQL vulnerabilities CVE-2017-10276, CVE-2017-10279, CVE-2017-10283, CVE-2017-10284, and CVE-2017-10286

Security Advisory Description CVE-2017-10276 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: FTS. Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network acce...

K22503522: Linux kernel vulnerability CVE-2018-7757

Security Advisory Description Memory leak in the sassmpgetphyevents function in drivers/scsi/libsas/sasexpander.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service memory consumption via many read accesses to files in the /sys/class/sasphy directory, as demonstrat...

K23432135: Apache Struts 2 vulnerability CVE-2016-3093

Security Advisory Description Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service block access to a web site via unspecified vectors. CVE-2016-3093 Impact The Object-Graph...

K15605622: MySQL vulnerability CVE-2016-6664

Security Advisory Description mysqldsafe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and...

K13815051: Apache vulnerability CVE-2021-30641

Security Advisory Description Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF' CVE-2021-30641 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently...

K78234183: Linux SACK Panic vulnerability CVE-2019-11477

Security Advisory Description Jonathan Looney discovered that the TCPSKBCBskb-tcpgsosegs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments SACKs. A remote attacker could use this to cause a denial of service. This has been fixed in stable...

K75521003: FreeBSD SACK Slowness vulnerability CVE-2019-5599

Security Advisory Description In FreeBSD 12.0-STABLE before r349197 and 12.0-RELEASE before 12.0-RELEASE-p6, a bug in the non-default RACK TCP stack can allow an attacker to cause several linked lists to grow unbounded and cause an expensive list traversal on every packet being processed, leading...

K61095244: Intel software vulnerabilities CVE-2020-8705, CVE-2020-8744, CVE-2020-8745, CVE-2020-8756

Security Advisory Description CVE-2020-8705 Insecure default initialization of resource in IntelR Boot Guard in IntelR CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, IntelR TXE versions before 3.1.80 and 4.0.30, IntelR SPS versions before...

K61294700: Linux kernel vulnerability CVE-2020-27777

Security Advisory Description A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down usually due to Secure Boot guest system running on top of PowerVM or KVM hypervisors pseries platform a root like local user could use this flaw to further...

K18015201: Linux kernel vulnerability CVE-2017-2636

Security Advisory Description Race condition in drivers/tty/nhdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service double free by setting the HDLC line discipline. CVE-2017-2636 Impact This vulnerability may allow locally authenticated users ...

K89509323: REST Framework vulnerability CVE-2019-6651

Security Advisory Description The BIG-IP/BIG-IQ Configuration utility login page may not follow best security practices when handling a malicious request. CVE-2019-6651 Impact The Configuration utility login page returns an inconsistent HTTP response when processing modified requests which may...

K68562154: MySQL vulnerability CVE-2005-0004

Security Advisory Description The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x before 4.1.10, 5.0.x before 5.0.3, and other versions including 3.x, allows local users to overwrite arbitrary files or read temporary files via a symlink attack on temporary files. CVE-2005-0004 Impact There ...

K25544541: PHP vulnerabilities CVE-2019-9638, CVE-2019-9639, CVE-2019-9640, and CVE-2019-9641

Security Advisory Description CVE-2019-9638 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exifprocessIFDinMAKERNOTE because of mishandling the makernote-offset relationship to valuelen...

K28042514: BIG-IP TMM and DNS profile vulnerability CVE-2022-23017

Security Advisory Description When a virtual server is configured with a DNS profile with the Rapid Response Mode setting enabled and is configured on a BIG-IP system, undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. CVE-2022-23017 Impact System performance can...

K12492858: Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103

Security Advisory Description When running in Appliance mode, the BIG-IP Guided Configuration GUI menu is vulnerable through the following third-party CVEs: CVE-2021-23337 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. CVE-2020-28500 Lodash version...

K25573437: TMM vulnerability CVE-2018-5517

Security Advisory Description Malformed TCP packets sent to a self IP address or a FastL4 virtual server may cause an interruption of service. The control plane is not exposed to this issue. This issue impacts the data plane virtual servers and self IPs. CVE-2018-5517 Impact This vulnerability...

K24301698: TMUI XSS vulnerability CVE-2021-23027

Security Advisory Description A DOM based cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. CVE-2021-23027 Impact An attacker may exploit this...

K23200408: reposync vulnerability CVE-2018-10897

Security Advisory Description A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the...

K23374214: Apache Shiro vulnerability CVE-2016-4437

Security Advisory Description Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. CVE-2016-4437 Impact There is no impact;...

K23439402: Debian package management system vulnerability CVE-2022-1664

Security Advisory Description Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a...

K59904248: iControl SOAP vulnerability CVE-2022-29474

Security Advisory Description A directory traversal vulnerability exists in iControl SOAP that allows an authenticated attacker with at least guest role privileges to read wsdl files in the BIG-IP file system. CVE-2022-29474 Impact An authenticated attacker with at least guest role privileges may...

K25400442: TMM vulnerability CVE-2020-5931

Security Advisory Description Virtual servers with a OneConnect profile may incorrectly handle WebSockets related HTTP response headers, causing the Traffic Management Microkernel TMM to restart. CVE-2020-5931 Impact An attacker may be able to perform a denial-of-service DoS attack on a BIG-IP...

K16015326: libtar vulnerability CVE-2013-4397

Security Advisory Description Multiple integer overflows in the thread function in lib/block.c in libtar before 1.2.20 allow remote attackers to cause a denial of service crash and possibly execute arbitrary code via a long 1 name or 2 link in an archive, which triggers a heap-based buffer...

K53593534: BIG-IP ASM and F5 Advanced WAF attack signature check failure on certain HTTP requests

Security Advisory Description The BIG-IP ASM and F5 Advanced Web Application Firewall Advanced WAF attack signature check may fail to detect and block certain HTTP requests. Impact The attack signature check fails to detect and block such requests, as expected of a security policy. Symptoms As a...

K61367237: BIG-IP HTTP/3 QUIC vulnerability CVE-2020-5859

Security Advisory Description Specially formatted HTTP/3 messages may cause the Traffic Management Microkernel TMM to produce a core file. CVE-2020-5859 Impact TMM may restart and temporarily fail to process traffic on BIG-IP hosts with the HTTP/3 QUIC profile configured. High availability HA...

K41412302: Jetty vulnerability CVE-2019-10247

Security Advisory Description In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not...

K50222414: Linux kernel vulnerability CVE-2019-11486

Security Advisory Description The Siemens R3964 line discipline driver in drivers/tty/nr3964.c in the Linux kernel before 5.0.8 has multiple race conditions. CVE-2019-11486 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Developme...

K51025656: Linux kernel vulnerability CVE-2016-10229

Security Advisory Description udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSGPEEK flag. CVE-2016-10229 Impact There is no impact; F5...

K40356136: systemd vulnerability CVE-2018-15686

Security Advisory Description A vulnerability in unitdeserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are...

K41242221: QEMU vulnerability CVE-2017-2615

Security Advisory Description Quick emulator QEMU built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU...

K39204079: GNU C Library vulnerability CVE-2015-8983

Security Advisory Description Integer overflow in the IOwstroverflow function in libio/wstrops.c in the GNU C Library aka glibc or libc6 before 2.22 allows context-dependent attackers to cause a denial of service application crash or possibly execute arbitrary code via vectors related to computin...