K20336394: ImageMagick vulnerability CVE-2019-13135

Security Advisory Description ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c. CVE-2019-13135 Impact BIG-IP AAM, Edge Gateway, and WebAccelerator This issue affects BIG-IP systems only when WAM or AAM is provisioned. If...

K48382137: Bootstrap vulnerability CVE-2018-14040

Security Advisory Description In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. CVE-2018-14040 Impact An attacker may exploit this vulnerability to perform a cross-site scripting XSS attack. Security Advisory Status F5 Product Development has assigned ID 767373...

K85932552: OpenJDK vulnerabilities CVE-2022-21540, CVE-2022-21541, and CVE-2022-21549

Security Advisory Description CVE-2022-21540 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition...

K93019301: mod_auth_digest vulnerability CVE-2019-0217

Security Advisory Description In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in modauthdigest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. CVE-2019-0217...

K84024430: Linux kernel vulnerability CVE-2017-7542

Security Advisory Description The ip6find1stfragopt function in net/ipv6/outputcore.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service integer overflow and infinite loop by leveraging the ability to open a raw socket. CVE-2017-7542 Impact This vulnerability allow...

K65230547: Apache Tomcat vulnerabilities CVE-2016-5018, CVE-2016-6794, and CVE-2016-6796

Security Advisory Description CVE-2016-5018 In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web...

K13540723: NTP vulnerability CVE-2018-7184

Security Advisory Description ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service disruption by sending a packet with a zero-origin timestamp causing the association to reset and setting the...

K19430431: TMM vulnerability CVE-2017-6160

Security Advisory Description A remote attacker may create maliciously crafted HTTP request to cause Traffic Management Microkernel TMM to restart and temporarily fail to process traffic. This issue is exposed on virtual servers using a Policy Enforcement profile or a Web Acceleration profile...

K06542333: Multiple Intel FPGA vulnerabilities CVE-2019-14625, CVE-2019-14626, and CVE-2020-0574

Security Advisory Description CVE-2019-14625 Improper access control in on-card storage for the Intel® FPGA Programmable Acceleration Card N3000, all versions, may allow a privileged user to potentially enable denial of service via local access. CVE-2019-14626 Improper access control in PCIe...

K55102452: TMM vulnerability CVE-2017-6140

Security Advisory Description Undisclosed sequence of packets sent to Virtual Servers with client or server SSL profiles using AES-GCM cipher suites may cause disruption of data plane services. CVE-2017-6140 This vulnerability affects the following BIG-IP platforms: 2000s, 2200s, 4000s, 4200v,...

K02219239: PCRE vulnerability CVE-2020-14155

Security Advisory Description libpcre in PCRE before 8.44 allows an integer overflow via a large number after a ?C substring. CVE-2020-14155 Impact An attacker may be able cause an integer overflow that negatively impacts applications. Security Advisory Status F5 Product Development has assigned ...

K61223103: Linux kernel vulnerability CVE-2017-9074

Security Advisory Description The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service out-of-bounds read and BUG or possibly have unspecified...

K02212309: MySQL vulnerabilities CVE-2018-2755, CVE-2018-2758, CVE-2018-2759, CVE-2018-2761, and CVE-2018-2762

Security Advisory Description CVE-2018-2755 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Replication. Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated...

K57211290: IPv6 fragmentation vulnerability CVE-2016-10142

Security Advisory Description An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big PTB messages. The scope of this CVE is all affected IPv6 implementations from all vendors. The security implications of IP fragmentation have been discussed at length in RFC627...

K02453220: jQuery vulnerability CVE-2020-11022

Security Advisory Description In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute untrusted code. This problem is patched in jQuer...

K01249564: Linux kernel vulnerability CVE-2020-27786

Security Advisory Description A flaw was found in the Linux kernel's implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes t...

K01587042: BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475

Security Advisory Description Under some circumstances, the Traffic Management Microkernel TMM may not properly clean-up pool member network connections when using SPDY or HTTP/2 virtual server profiles. CVE-2016-7475 Impact In many cases, the pool members will tear down these network connections...

K44200194: DNS TCP virtual server vulnerability CVE-2018-5501

Security Advisory Description In some circumstances TCP DNS profile allows excessive buffering due to lack of flow control. CVE-2018-5501 Impact The affected BIG-IP system may experience performance degradation or denial-of-service DoS in the worst-case scenario when the vulnerability is exploite...

K04234247: Resource Administrator or Administrator role authenticated local command execution vulnerability CVE-2021-23012

Security Advisory Description Lack of input validation for items used in system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP. CVE-2021-23012 Impact In a standard BIG-IP deployment, a minor...

K04734219: Red Hat JBoss vulnerability CVE-2015-7501

Security Advisory Description Red Hat JBoss A-MQ 6.x; BPM Suite BPMS 6.x; BRMS 6.x and 5.x; Data Grid JDG 6.x; Data Virtualization JDV 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works FSW 6.x; Operations Network JBoss ON 3.x; Portal 6.x; SOA Platform...

K02652550: OpenSSL vulnerability CVE-2016-2180

Security Advisory Description The TSOBJprintbio function in crypto/ts/tslib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol TSP implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service out-of-bounds read and application crash via a crafted...

K35135935: Side-channel processor vulnerability CVE-2018-9056 (BranchScope)

Security Advisory Description Systems with microprocessors utilizing speculative execution may allow unauthorized disclosure of information to an attacker with local user access via a side-channel attack on the directional branch predictor, as demonstrated by a pattern history table PHT, aka...

K98776835: Apache Tomcat vulnerability - CVE-2018-8037

Security Advisory Description If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NI...

K96670746: NTP vulnerability CVE-2017-6464

Security Advisory Description NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service ntpd crash via a malformed mode configuration directive. CVE-2017-6464 Impact A remote, authenticated attacker may abuse this vulnerability using a crafted message to cau...

K42051445: BIG-IP Advanced WAF and ASM WebSocket vulnerability CVE-2021-23030

Security Advisory Description When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. CVE-2021-23030 Impact Traffic is disrupted while the bd process restarts. This vulnerability allows a remote attacker to cause a denial-of-service DoS on the...

K36302720: Apache Tomcat vulnerability CVE-2016-6797

Security Advisory Description The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web...

K94563344: HTTP/2 ALPN vulnerability CVE-2019-6619

Security Advisory Description The Traffic Management Microkernel TMM may restart when a virtual server has an HTTP/2 profile with Application Layer Protocol Negotiation ALPN enabled and it processes traffic where the ALPN extension size is zero. CVE-2019-6619 Impact BIG-IP The Traffic Management...

K81926432: NGINX ngx_http_mp4_module vulnerability CVE-2022-41741

Security Advisory Description NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngxhttpmp4module that might allow a local attacker to corrupt NGIN...

K33211839: TMM vulnerability CVE-2018-5500

Security Advisory Description Every Multipath TCP MCTCP connection established leaks a small amount of memory. Virtual server using TCP profile with Multipath TCP MCTCP feature enabled will be affected by this issue. CVE-2018-5500 Impact Over a period of time, the memory leak may lead to memory...

K76295179: Linux kernel vulnerability CVE-2019-15099

Security Advisory Description drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor. CVE-2019-15099 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory...

K85742355: Java SE vulnerability CVE-2020-14577

Security Advisory Description Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: JSSE. Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker wi...

K84891934: Oracle Access Manager vulnerability CVE-2018-2739 and CVE-2018-2587

Security Advisory Description CVE-2018-2739 Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware subcomponent: Web Server Plugin. Supported versions that are affected are 10.1.4.3.0, 11.1.2.3.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated...

K86569155: Apache Gobblin vulnerability CVE-2021-36152

Security Advisory Description Apache Gobblin trusts all certificates used for LDAP connections in Gobblin-as-a-Service. This affects versions = 0.15.0. Users should update to version 0.16.0 which addresses this issue. CVE-2021-36152 Impact There is no impact; F5 products are not affected by this...

K84144321: Apache Struts vulnerability CVE-2017-9805

Security Advisory Description The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads...

K82069123: ISC BIND vulnerability CVE-2018-5736

Security Advisory Description An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession. This defect could be deliberately exercised by an attacker who is...

K80533167: BIND vulnerability CVE-2017-3135

Security Advisory Description Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 - 9.9.9-S7,...

K30184101: OpenSSL Vulnerability CVE-2021-4160

Security Advisory Description There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include...

K30585021: BIG-IQ XSS vulnerability CVE-2021-23006

Security Advisory Description Undisclosed BIG-IQ pages have a reflected cross-site scripting vulnerability. CVE-2021-23006 Impact An attacker may exploit this vulnerability using a crafted URL to a reflected cross-site scripting XSS in an undisclosed page of the BIG-IQ user interface. Security...

K29855410: Vim vulnerabilities CVE-2022-0261, CVE-2022-0318, CVE-2022-0361, CVE-2022-0392, and CVE-2022-0413

Security Advisory Description CVE-2022-0261 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. CVE-2022-0318 Heap-based Buffer Overflow in vim/vim prior to 8.2. CVE-2022-0361 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. CVE-2022-0392 Heap-based Buffer...

K25092613: rsyslog vulnerability CVE-2018-1000140

Security Advisory Description rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigg...

K11307303: OpenSSL vulnerability CVE-2016-8610

Security Advisory Description A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an...

K11601010: Intel Processor vulnerability CVE-2021-33149

Security Advisory Description Observable behavioral discrepancy in some IntelR Processors may allow an authorized user to potentially enable information disclosure via local access. CVE-2021-33149 Impact This vulnerability may allow an authorized user to potentially enable information disclosure...

K10105323: Java Bouncy Castle vulnerability CVE-2015-7940

Security Advisory Description The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman ECDH key exchanges, aka an "invalid curve...

K04623854: Apache Tomcat vulnerability CVE-2018-1304

Security Advisory Description The URL pattern of "" the empty string which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the...

K13060403: PHP vulnerability CVE-2018-10548

Security Advisory Description An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service NULL pointer dereference and application crash because of mishandling of the...

K06554372: Linux kernel vulnerability CVE-2019-19059

Security Advisory Description Multiple memory leaks in the iwlpciectxtinfogen3init function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service memory consumption by triggering iwlpcieinitfwsec or...

K11510688: Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963

Security Advisory Description Spring Framework RCE Spring4Shell: CVE-2022-22965 A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the...

K24920320: Intel Ethernet Adapter Driver vulnerabilities CVE-2020-24502, CVE-2020-24503 and CVE-2020-24504

Security Advisory Description CVE-2020-24502 Improper input validation in some IntelR Ethernet E810 Adapter drivers for Linux before version 1.0.4 and before version 1.4.29.0 for Windows, may allow an authenticated user to potentially enable a denial of service via local access. CVE-2020-24503...

K04712583: Linux kernel vulnerability CVE-2021-40490

Security Advisory Description A race condition was discovered in ext4writeinlinedataend in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13. CVE-2021-40490 Impact An attacker may be able to access shared resources by way of untrusted code sequences. Security Advisory...

K10002335: TMM vulnerability CVE-2017-6159

Security Advisory Description The BIG-IP system is vulnerable to a denial of service attack when the MPTCP option is enabled on a virtual server. Data plane is vulnerable when using the MPTCP option of a TCP profile. There is no control plane exposure. CVE-2017-6159 Impact An attacker may be able...