K68804133: Apache vulnerability CVE-2017-12171

Security Advisory Description A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd 2.2.15-60, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP...

K61529042: Log4j vulnerability CVE-2019-17571

Security Advisory Description Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This...

K14122652: Apache Log4j2 vulnerability CVE-2021-44832

Security Advisory Description Apache Log4j2 versions 2.0-beta7 through 2.17.0 excluding security fix releases 2.3.2 and 2.12.4 are vulnerable to a remote code execution RCE attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration...

K70844615: OpenSSL vulnerability CVE-2016-6302

Security Advisory Description The tlsdecryptticket function in ssl/t1lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short. CVE-2016-6302 Impact Remote attacke...

K05211147: Kernel vulnerabilities CVE-2014-8559, CVE-2015-0275, CVE-2015-1333, CVE-2015-3212, and CVE-2015-4700

Security Advisory Description CVE-2014-8559 The dwalk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of renamelock, which allows local users to cause a denial of service deadlock and system hang via a crafted application. CVE-2015-0275 The...

K14614344: libxml2 vulnerability CVE-2016-1840

Security Advisory Description Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of...

K13331647: Linux kernel vulnerability CVE-2019-13233

Security Advisory Description In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modifyldt and a BR exception for an MPX bounds violation. CVE-2019-13233 Impact There is no impact; F5 products are...

K05937379: libxml2 vulnerability CVE-2016-1837

Security Advisory Description Multiple use-after-free vulnerabilities in the 1 htmlPArsePubidLiteral and 2 htmlParseSystemiteral functions in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allow remote attackers to cause ...

K52952871: Multiple RubyGems vulnerabilities

Security Advisory Description CVE-2018-1000073 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in...

K10420455: Python urllib and urllib2 library vulnerability CVE-2016-5699

Security Advisory Description CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython aka Python before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. CVE-2016-5699 Impact An attacker...

K11330536: BIG-IP Appliance mode vulnerability CVE-2019-6635

Security Advisory Description When the BIG-IP system is licensed for Appliance mode, a user with either the Administrator or the Resource Administrator role can bypass Appliance mode restrictions. CVE-2019-6635 Impact BIG-IP This vulnerability allows local attackers with high-level privileges to...

K10269585: Linux kernel vulnerability CVE-2018-20976

Security Advisory Description An issue was discovered in fs/xfs/xfssuper.c in the Linux kernel before 4.18. A use after free exists, related to xfsfsfillsuper failure. CVE-2018-20976 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product...

K02215905: Wireshark vulnerabilities CVE-2018-16056, CVE-2018-16057, and CVE-2018-16058

Security Advisory Description CVE-2018-16056 In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the Bluetooth Attribute Protocol dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by verifying that a dissector for a specific UUID exists. CVE-2018-16057 In...

K03318649: BIG-IP QKView vulnerability CVE-2020-5890

Security Advisory Description When creating a QKView, credentials for binding to LDAP servers used for remote authentication of the BIG-IP administrative interface will not fully obfuscate if they contain whitespace. CVE-2020-5890 Impact The BIG-IP system may disclose sensitive information used f...

K60130614: Linux kernel vulnerability CVE-2019-19069

Security Advisory Description A memory leak in the fastrpcdmabufattach function in drivers/misc/fastrpc.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service memory consumption by triggering dmagetsgtable failures, aka CID-fc739a058d99. CVE-2019-19069 Impact An attacker...

K67501282: Overview of F5 vulnerabilities (June 2021)

Security Advisory Description On June 1, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated Security Advisory article...

K63712424: PHP vulnerability CVE-2015-8935

Security Advisory Description The sapiheaderop function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting XSS attacks against...

K62178133: Linux kernel vulnerability CVE-2017-14106

Security Advisory Description The tcpdisconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service tcpselectwindow divide-by-zero error and system crash by triggering a disconnect within a certain tcprecvmsg code path. CVE-2017-14106 Impact ...

K01713115: BIND vulnerability CVE-2019-6465

Security Advisory Description Controls for zone transfers may not be properly applied to Dynamically Loadable Zones DLZs if the zones are writable Versions affected: BIND 9.9.0 - 9.10.8-P1, 9.11.0 - 9.11.5-P2, 9.12.0 - 9.12.3-P2, and versions 9.9.3-S1 - 9.11.5-S3 of BIND 9 Supported Preview...

K49902412: nghttp vulnerability CVE-2018-1000168

Security Advisory Description nghttp2 version = 1.10.0 and nghttp2 = 1.31.1. CVE-2018-1000168 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported releases for potential vulnerability,...

K53634325: Linux kernel vulnerability CVE-2019-19068

Security Advisory Description A memory leak in the rtl8xxxusubmitinturb function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxucore.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service memory consumption by triggering usbsubmiturb failures, aka CID-a2cdd07488e6...

K57214921: BIG-IP TMUI XSS vulnerability CVE-2020-5915

Security Advisory Description An undisclosed Traffic Management User Interface TMUI, or Configuration utility, page contains a vulnerability which allows a stored cross-site scripting XSS attack when BIG-IP systems are setup in a device trust. Impact On a BIG-IP system in a high availability HA...

K81952114: Authenticated iControl REST in Appliance mode vulnerability CVE-2022-26415

Security Advisory Description When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. CVE-2022-26415 Impact In Appliance mode, an authenticated user with valid user...

K73648110: Apache Tomcat vulnerability CVE-2021-25329

Security Advisory Description The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to...

K52379673: Linux kernel vulnerability for CVE-2021-4083

Security Advisory Description A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close and fget simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system o...

K34224086: MySQL vulnerability CVE-2016-5627

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to Server: InnoDB. CVE-2016-5627 Impact There is no impact; F5 products are not affected by this...

K34468163: Apache Tomcat vulnerability CVE-2018-8034

Security Advisory Description The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. CVE-2018-8034 Impact A user on the local...

K32957101: Apache HTTPD vulnerability CVE-2019-0211

Security Advisory Description In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads including scripts executed by an in-process scripting interpreter could execute arbitrary code with the privileges of...

K26422113: libxml2 vulnerability CVE-2016-1839

Security Advisory Description The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service heap-based buffer over-read via a crafted XML document...

K25046752: Traffic Intelligence feeds vulnerability CVE-2022-34865

Security Advisory Description Traffic Intelligence feeds, which use HTTPS, do not verify the remote endpoint identity, allowing for potential data poisoning. CVE-2022-34865 Impact An attacker with a network position that allows them to intercept network traffic may be able to read and/or modify...

K24311131: MySQL vulnerability CVE-2016-3492

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer. CVE-2016-3492 Impact There is no impact; F5 products are not...

K43346111: Linux kernel eBPF vulnerability CVE-2021-3490

Security Advisory Description The eBPF ALU32 bounds tracking for bitwise ops AND, OR and XOR in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via...

K31573032: Tomcat vulnerability CVE-2020-13943

Security Advisory Description If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection in violation of the HTTP/2 protocol, it was possible that a subsequent request made...

K48758740: Apache Tomcat vulnerability CVE-2013-2185

Security Advisory Description DISPUTED The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name ...

K69154630: BIG-IP Edge Client for Windows vulnerability CVE-2020-5898

Security Advisory Description The BIG-IP Edge Client Windows Stonewall driver does not sanitize the pointer received from the userland. A local user on the Windows client system can send crafted DeviceIoControl requests to a \\.\urvpndrv device causing the Windows kernel to crash. CVE-2020-5898...

K99998454: iControl REST vulnerability CVE-2016-5021

Security Advisory Description The iControl REST service in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.5.x before 11.5.4, 11.6.x before 11.6.1, and 12.x before 12.0.0 HF3; BIG-IP DNS 12.x before 12.0.0 HF3; BIG-IP GTM 11.5.x before 11.5.4 and 11.6.x before 11.6.1;...

K21018505: JRE vulnerability CVE-2012-5081

Security Advisory Description Unspecified vulnerability in the Java Runtime Environment JRE component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.238 and earlier allows remote attackers to affect availability, related to JSSE. CVE-2012-508...

K35710418: Binutils vulnerability CVE-2018-17985

Security Advisory Description An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplusdemangletype function making recursive calls to itself in certain scenarios involving many 'P'...

K16900: Multiple FreeType vulnerabilities

Security Advisory Description CVE-2014-9657 The ttfaceloadhdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service out-of-bounds read or possibly have unspecified other impact via a crafted...

K37256400: Linux kernel vulnerability CVE-2021-4028

Security Advisory Description A flaw in the Linux kernel's implementation of RDMA communications manager listener code allowed an attacker with local access to setup a socket to listen on a high port allowing for a list element to be used after free. Given the ability to execute code, a local...

K28418435: Java vulnerability CVE-2017-10053

Security Advisory Description Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: 2D. Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows...

K79215841: OpenSSL vulnerability CVE-2016-0702

Security Advisory Description The MODEXPCTIMECOPYFROMPREBUF function in crypto/bn/bnexp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running ...

K21284031: GnuPG vulnerability CVE-2014-4617

Security Advisory Description The douncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service infinite loop via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. CVE-2014-4617...

K53330207: GnuTLS vulnerability CVE-2014-8155

Security Advisory Description GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is 1 not yet valid or 2 no longer valid. CVE-2014-8155 Impact GnuT...

K52320548: Expat vulnerability CVE-2016-0718

Security Advisory Description An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code...

K59440504: Apache mod_ssl vulnerability CVE-2019-0215

Security Advisory Description In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in modssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions. CVE-2019-0215 Impact There is no impact; F5 products are not...

K24353255: Binutils vulnerabilities CVE-2018-18605, CVE-2018-18606, and CVE-2018-18607

Security Advisory Description CVE-2018-18605 A heap-based buffer over-read issue was discovered in the function secmergehashlookup in merge.c in the Binary File Descriptor BFD library aka libbfd, as distributed in GNU Binutils 2.31, because bfdaddmergesection mishandles section merges when size i...

K55625065: MySQL vulnerability CVE-2016-5624

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier allows remote authenticated users to affect availability via vectors related to DML. CVE-2016-5624 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5...

K23231802: Expat vulnerability CVE-2021-46143

Security Advisory Description In doProlog in xmlparse.c in Expat aka libexpat before 2.4.3, an integer overflow exists for mgroupSize. CVE-2021-46143 Impact A remote attacker could send specially crafted XML which, when parsed by an application using the Expat library, would result in a buffer...

K55335001: Linux kernel vulnerability CVE-2019-15239

Security Advisory Description In the Linux kernel, a certain net/ipv4/tcpoutput.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to ...