K41385746: Apache Tomcat vulnerability CVE-2017-5648

Security Advisory Description While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application...

K77384526: tcpdump vulnerabilities CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, and CVE-2016-7927

Security Advisory Description CVE-2016-7922 The AH parser in tcpdump before 4.9.0 has a buffer overflow in print-ah.c:ahprint. CVE-2016-7923 The ARP parser in tcpdump before 4.9.0 has a buffer overflow in print-arp.c:arpprint. CVE-2016-7924 The ATM parser in tcpdump before 4.9.0 has a buffer...

K81192137: sosreport vulnerability CVE-2015-7529

Security Advisory Description sosreport in SoS 3.x allows local users to obtain sensitive information from sosreport files or gain privileges via a symlink attack on an archive file in a temporary directory, as demonstrated by sosreport-$hostname-$date.tar in /tmp/sosreport-$hostname-$date...

K25691186: BIG-IP Configuration utility vulnerability CVE-2020-27715

Security Advisory Description Crafted TLS request to the BIG-IP management interface via port 443 can cause high 100% CPU utilization by the httpd daemon. CVE-2020-27715 Impact Unable to access the affected BIG-IP system's Configuration utility. Security Advisory Status F5 Product Development has...

K47429080: Ghostscript vulnerability CVE-2016-7976

Security Advisory Description The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams. CVE-2016-7976 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has...

K23125024: MySQL vulnerabilities CVE-2019-2791, CVE-2019-2795, CVE-2019-2796, CVE-2019-2797, and CVE-2019-2798

Security Advisory Description CVE-2019-2791 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Audit Plug-in. Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with networ...

K42944216: Erlang vulnerability CVE-2017-1000385

Security Advisory Description The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS 1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key this is a variation of the Bleichenbacher attack...

K41346123: MySQL vulnerability CVE-2016-8287

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Replication. CVE-2016-8287 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory...

K44309215: Linux kernel vulnerability CVE-2017-1000111

Security Advisory Description Linux kernel: heap out-of-bounds in AFPACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packetsetring. Previously with PACKETVERSION. This time wi...

K03544225: PHP vulnerabilities CVE-2018-19518 and CVE-2018-19935

Security Advisory Description CVE-2018-19518 University of Washington IMAP Toolkit 2007f on UNIX, as used in imapopen in PHP and other products, launches an rsh command by means of the imaprimap function in c-client/imap4r1.c and the tcpaopen function in osdep/unix/tcpunix.c without preventing...

K04454621: Linux kernel vulnerability CVE-2020-25671

Security Advisory Description A vulnerability was found in Linux Kernel, where a refcount leak in llcpsockconnect causing use-after-free which might lead to privilege escalations. CVE-2020-25671 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Statu...

K42531048: OpenSSH vulnerability CVE-2019-6110

Security Advisory Description In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server or Man-in-The-Middle attacker can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. CVE-2019-6110...

K39751401: BIND vulnerability CVE-2019-6469

Security Advisory Description An error in the EDNS Client Subnet ECS feature for recursive resolvers can cause BIND to exit with an assertion failure when processing a response that has malformed RRSIGs. Versions affected: BIND 9.10.5-S1 - 9.11.6-S1 of BIND 9 Supported Preview Edition...

K31025212: BIG-IP MPTCP vulnerability CVE-2021-23004

Security Advisory Description Multipath TCP MPTCP forwarding flows may be created on standard virtual servers without MPTCP enabled in the applied TCP profile. CVE-2021-23004 Impact A remote attacker may be able to cause a BIG-IP system to consume excessive system resources and produce a core fil...

K19194273: MySQL vulnerabilities CVE-2019-2778, CVE-2019-2780, CVE-2019-2784, CVE-2019-2785, and CVE-2019-2789

Security Advisory Description CVE-2019-2778 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Security: Privileges. Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with...

K15650046: Tcl code injection security exposure

Security Advisory Description Certain coding practices may allow an attacker to inject arbitrary Tool Command Language Tcl commands, which can be executed in the security context of the target Tcl script by the running Tcl interpreter. Note: This issue affects any user-supplied Tcl code executed ...

K65460334: Expat XML parser vulnerability CVE-2012-6702

Security Advisory Description Expat, when used in a parser that has not called XMLSetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. CVE-2012-6702 Impact An attacker m...

K32460441: OpenSSL vulnerabilities CVE-2016-7053 and CVE-2016-7054

Security Advisory Description CVE-2016-7053 In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the...

K32157421: MySQL vulnerability CVE-2016-3495

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: InnoDB. CVE-2016-3495 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Stat...

K31085564: Spectre SWAPGS gadget vulnerability CVE-2019-1125

Security Advisory Description An information disclosure vulnerability exists when certain central processing units CPU speculatively access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1071, CVE-2019-1073. CVE-2019-1125 also known as Spect...

K21856463: MySQL vulnerability CVE-2016-8289

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows local users to affect integrity and availability via vectors related to Server: InnoDB. CVE-2016-8289 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory...

K21971977: TMM vulnerability CVE-2021-22975

Security Advisory Description Under some circumstances, Traffic Management Microkernel TMM may restart on the BIG-IP system while passing large bursts of traffic. CVE-2021-22975 Impact This vulnerability may allow an attacker to cause a denial-of-service DoS to the BIG-IP system. The BIG-IP syste...

K55672042: Linux kernel vulnerability CVE-2016-4470

Security Advisory Description The keyrejectandlink function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service system crash via vectors involving a crafted keyctl request2...

K23001529: SSL Intercept iApp and SSL Orchestrator Server-Side Request Forgery vulnerability CVE-2017-6130

Security Advisory Description F5 SSL Intercept iApp 1.5.0 - 1.5.7 and SSL Orchestrator 2.0 is vulnerable to a Server-Side Request Forgery SSRF attack when deployed using the Dynamic Domain Bypass DDB feature feature plus SNAT Auto Map option for egress traffic. CVE-2017-6130 Impact A remote...

K63558580: BIG-IP crypto driver vulnerability CVE-2020-5872

Security Advisory Description When processing TLS traffic with hardware cryptographic acceleration enabled on platforms with Intel QAT hardware, the Traffic Management Microkernel TMM may stop responding and cause a failover event. CVE-2020-5872 Impact Hardware cryptographic acceleration fails an...

K55423848: CGI.pm and CGI::Simple vulnerabilities CVE-2010-2761 and CVE-2010-4410

Security Advisory Description CVE-2010-2761 The multipartinit function in 1 CGI.pm before 3.50 and 2 Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers a...

K32804955: Linux kernel vulnerability CVE-2019-10639

Security Advisory Description The Linux kernel 4.x starting from 4.1 and 5.x before 5.0.8 allows Information Exposure partial kernel address disclosure, leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for...

K51272092: MySQL vulnerabilities CVE-2019-2730, CVE-2019-2731, CVE-2019-2737, CVE-2019-2738, and CVE-2019-2739

Security Advisory Description CVE-2019-2730 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Security: Privileges. Supported versions that are affected are 5.6.44 and prior and 5.7.18 and prior. Easily exploitable vulnerability allows high privileged attacker with...

K16248201: TMM vulnerability CVE-2018-15318

Security Advisory Description If an MPTCP connection receives an abort signal while the initial flow is not the primary flow, the initial flow will remain after the closing procedure is complete. TMM may restart and produce a core file as a result of this condition. CVE-2018-15318 Impact The BIG-...

K17011311: NodeJS vulnerability CVE-2022-35256

Security Advisory Description The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. CVE-2022-35256 Impact There is no impact; F5 products are not affected by this vulnerability...

K53411527: SELinux policycoreutils vulnerability CVE-2016-7545

Security Advisory Description SELinux policycoreutils allows local users to execute arbitrary commands outside of the sandbox via a crafted TIOCSTI ioctl call. CVE-2016-7545 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product...

K53821711: TMM vulnerability CVE-2020-5946

Security Advisory Description Under some circumstances, certain format client-side alerts sent to the BIG-IP virtual server configured with DataSafe may cause the Traffic Management Microkernel TMM to restart, resulting in a Denial-of-Service DoS. CVE-2020-5946 Impact A remote attacker may be abl...

K48866433: PHP vulnerability CVE-2019-11046

Security Advisory Description In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeri...

K49144112: tcpdump vulnerabilities CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, and CVE-2016-7939

Security Advisory Description CVE-2016-7934 The RTCP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtcpprint. CVE-2016-7935 The RTP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtpprint. CVE-2016-7936 The UDP parser in tcpdump before 4.9.0 has a buffer...

K25359902: BIG-IP AAM security vulnerability CVE-2019-6601

Security Advisory Description The BIG-IP AAM wamd process used in the processing of images and PDFs fails to drop group permissions when executing helper scripts. CVE-2019-6601 Impact This issue does not have a direct exploit, but may be used in unknown ways when targeting the BIG-IP AAM module...

K10133477: BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736

Security Advisory Description The anonymous IPsec IKE peer configuration object is present and enabled in the default configuration. The settings of the anonymous IPsec IKE peer object allow an arbitrary peer to establish IKE phase 1 without certificate validation or a pre-shared key which may...

K10515241: Linux kernel vulnerabilities CVE-2016-1583 and CVE-2016-2143

Security Advisory Description CVE-2016-1583 The ecryptfsprivilegedopen function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service stack memory consumption via vectors involving crafted mmap calls for /proc pathnames, leadi...

K45143221: BIG-IP AVRD vulnerability CVE-2020-27728

Security Advisory Description Under certain conditions, Analytics, Visibility, and Reporting daemon AVRD may generate a core file and restart on the BIG-IP system when processing requests sent from mobile devices. CVE-2020-27728 Impact This may allow an attacker to initiate a denial-of-service Do...

K92411323: BIG-IP TMM vulnerability CVE-2019-6666

Security Advisory Description The TMM process may produce a core file when an upstream server or cache sends an HTTP response with an invalid age header value to a BIG-IP virtual server with Ram Cache enabled on its associated Web Acceleration profile. CVE-2019-6666 Impact The BIG-IP system...

K15417213: Samba vulnerability CVE-2015-7540

Security Advisory Description The LDAP server in the AD domain controller in Samba 4.x before 4.1.22 does not check return values to ensure successful ASN.1 memory allocation, which allows remote attackers to cause a denial of service memory consumption and daemon crash via crafted packets...

K00503780: Apache Struts 2 vulnerability CVE-2017-7672

Security Advisory Description If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version...

K45213552: cups-filters vulnerabilities CVE-2015-8327 and CVE-2015-8560

Security Advisory Description CVE-2015-8327 Incomplete blacklist vulnerability in util.c in foomatic-rip in cups-filters 1.0.42 before 1.2.0 and in foomatic-filters in Foomatic 4.0.x allows remote attackers to execute arbitrary commands via backtick characters in a print job. CVE-2015-8560...

K95375529: PHP vulnerabilities CVE-2013-7456, CVE-2016-4343, and CVE-2016-5093

Security Advisory Description CVE-2013-7456 gdinterpolation.c in the GD Graphics Library aka libgd before 2.1.1, as used in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7, allows remote attackers to cause a denial of service out-of-bounds read or possibly have unspecified other impa...

K91026261: BIG-IP TMM vulnerability CVE-2019-6594

Security Advisory Description Multipath TCP MPTCP does not protect against multiple zero length DATAFINs in the reassembly queue, which can lead to an infinite loop in some circumstances. CVE-2019-6594 Impact The BIG-IP system temporarily fails to process traffic as it recovers from a Traffic...

K82508682: Linux kernel vulnerability CVE-2017-6074

Security Advisory Description The dccprcvstateprocess function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCPPKTREQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service double free via an applicatio...

K91025336: Linux kernel vulnerability CVE-2019-13272

Security Advisory Description In the Linux kernel before 5.1.17, ptracelink in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child...

K82300604: Linux Kernel vulnerability CVE-2017-8831

Security Advisory Description The saa7164busget function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.11.5 allows local users to cause a denial of service out-of-bounds array access or possibly have unspecified other impact by changing a certain sequence-number value,...

K11758085: OpenSSL vulnerability CVE-2016-6305

Security Advisory Description The ssl3readbytes function in record/reclayers3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service infinite loop by triggering a zero-length record in an SSLpeek call. CVE-2016-6305 Impact There is no impact; F5 products are not...

K13500115: Little CMS (aka lcms2) vulnerability CVE-2016-10165

Security Advisory Description The TypeMLURead function in cmstypes.c in Little CMS aka lcms2 allows remote attackers to obtain sensitive information or cause a denial of service via an image with a crafted ICC profile, which triggers an out-of-bounds heap read. CVE-2016-10165 Impact There is no...

K11330713: jQuery vulnerability CVE-2014-6071

Security Advisory Description jQuery 1.4.2 allows remote attackers to conduct cross-site scripting XSS attacks via vectors related to use of the text method inside after. CVE-2014-6071 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Produ...