K14301401: MySQL vulnerabilities CVE-2018-3185, CVE-2018-3186, CVE-2018-3187, CVE-2018-3195, and CVE-2018-3200

Security Advisory Description CVE-2018-3185 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: InnoDB. Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via...

K22384173: iControl REST vulnerability CVE-2019-6641

Security Advisory Description Undisclosed requests can cause iControl REST processes to crash. The attack can only come from an authenticated user; all roles are capable of performing the attack. Unauthenticated users cannot perform this attack. CVE-2019-6641 Impact BIG-IP When this vulnerability...

K19026212: Apache Log4j2 Remote Code Execution vulnerability CVE-2021-44228

Security Advisory Description Apache Log4j2 2.0-beta9 through 2.15.0 excluding security releases 2.12.2, 2.12.3, and 2.3.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can contro...

K12213311: Rsyslog v8.1908.0.0 vulnerability CVE-2019-17041

Security Advisory Description An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfrom/pmaixforwardedfrom.c has a heap overflow in the parser for AIX log messages. The parser tries to locate a log message delimiter in this case, a space or a colon but fails to account for strings...

K13591074: BIND vulnerability CVE-2020-8625

Security Advisory Description BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setti...

K12541829: Binutils vulnerability CVE-2019-9072

Security Advisory Description An issue was discovered in the Binary File Descriptor BFD library aka libbfd, as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setupgroup in elf.c. CVE-2019-9072 Impact There is no impact; F5 products are not affected by this...

K01409145: Oracle MySQL vulnerability CVE-2016-0641

Security Advisory Description Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier allows local users to affect confidentiality and availability via vectors related to MyISAM. CVE-2016-0641 Impact This vulnerability may allow local users to affe...

K11455641: NGINX LDAP Reference Implementation security exposure

Security Advisory Description NGINX LDAP reference implementation configuration can be modified by sending crafted HTTP requests. Note : nginx-ldap-auth is not an NGINX Product. It is published as a reference implementation of LDAP and describes the mechanics of how the integration works and all ...

K20059815: iControl REST vulnerability CVE-2020-5943

Security Advisory Description When a BIG-IP object is created or listed through the REST interface, the protected fields are obfuscated in the REST response, not protected via a SecureVault cryptogram as TMSH does. One example of protected fields is the GTM monitor password. CVE-2020-5943 Impact ...

K15244523: 389-ds-base vulnerability CVE-2021-4091

Security Advisory Description A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash. CVE-2021-4091 Impact There is no impact; F5 products ar...

K02566623: Overview of F5 vulnerabilities (March 2021)

Security Advisory Description On March 10th, 2021, F5 announced twenty-one 21 CVEs, including four Critical vulnerabilities. This document is intended to serve as an overview of these vulnerabilities to help determine the impact on your F5 devices. The details of each issue can be found in the...

K35543324: OpenSSL vulnerability CVE-2016-6303

Security Advisory Description Integer overflow in the MDC2Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service out-of-bounds write and application crash or possibly have unspecified other impact via unknown vectors. CVE-2016-6303...

K15094237: MySQL vulnerabilities CVE-2022-21460, CVE-2022-21462, CVE-2022-21478, CVE-2022-21479, CVE-2022-21482

Security Advisory Description CVE-2022-21460 Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Logging. Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access...

K44288218: Apache Tomcat vulnerability CVE-2012-5568

Security Advisory Description Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service daemon outage via partial HTTP requests, as demonstrated by Slowloris. CVE-2012-5568 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Stat...

K56061418: glibc vulnerability CVE-2016-6323

Security Advisory Description The makecontext function in the GNU C Library aka glibc or libc6 before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI 32-bit platforms, which might allow context-dependent attackers to cause a denial of service hang, as demonstrated by...

K43530108: NGINX Controller Agent vulnerability CVE-2020-27730

Security Advisory Description The NGINX Controller Agent does not use absolute paths when calling system utilities. CVE-2020-27730 Impact This vulnerability allows a local attacker to escalate privileges and run arbitrary code as the agent root process. Security Advisory Status F5 Product...

K23151384: Sudo vulnerabilities CVE-2017-1000367 and CVE-2017-1000368

Security Advisory Description CVE-2017-1000367 Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation embedded spaces in the getprocessttyname function resulting in information disclosure and command execution. CVE-2017-1000368 Todd Miller's sudo version 1.8.20p1 and...

K40444230: Apache Struts 1 vulnerability CVE-2016-1181

Security Advisory Description ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service unexpected memory access via a multipart request, a related issue ...

K81137982: TMM vulnerability CVE-2017-6136

Security Advisory Description Undisclosed traffic patterns sent to BIG-IP virtual servers, with the TCP Fast Open and Tail Loss Probe options enabled in the associated TCP profile, may cause a disruption of service to the Traffic Management Microkernel TMM. CVE-2017-6136 Impact An attacker may be...

K38871451: LibTIFF vulnerability CVE-2015-7554

Security Advisory Description The TIFFVGetField function in tifdir.c in libtiff 4.0.6 allows attackers to cause a denial of service invalid memory write and crash or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF. CVE-2015-7554 Impact This vulnerabilit...

K87323016: Apache mod_proxy vulnerability CVE-2020-13950

Security Advisory Description Apache HTTP Server versions 2.4.41 to 2.4.46 modproxyhttp can be made to crash NULL pointer dereference with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service CVE-2020-13950 Impact There is no impact; F...

K54105941: glibc vulnerability CVE-1999-0199

Security Advisory Description manual/search.texi in the GNU C Library aka glibc before 2.2 lacks a statement about the unspecified tdelete return value upon deletion of a tree's root, which might allow attackers to access a dangling pointer in an application whose developer was unaware of a...

K42801711: node-ipc vulnerability CVE-2022-23812

Security Advisory Description This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. Note: from versions 11.0.0 onwards, instead of having...

K62532311: jQuery vulnerability CVE-2012-6708

Security Advisory Description jQuery before 1.9.0 is vulnerable to Cross-site Scripting XSS attacks. The jQuerystrInput function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the ' Identified L...

K72335002: TMM vulnerability CVE-2019-6623

Security Advisory Description Undisclosed traffic sent to BIG-IP iSession virtual server may cause the Traffic Management Microkernel TMM to restart, resulting in a Denial-of-Service DoS. CVE-2019-6623 Impact A remote attacker may be able to perform a denial-of-service DoS attack on a BIG-IP syst...

K52950150: CUPS vulnerability CVE-2014-9679

Security Advisory Description Integer underflow in the cupsRasterReadPixels function in filter/raster.c in CUPS before 2.0.2 allows remote attackers to have unspecified impact via a malformed compressed raster file, which triggers a buffer overflow. CVE-2014-9679 Impact There is no impact; F5...

K62031468: Linux Kernel vulnerability CVE-2019-19060, CVE-2019-19067, CVE-2019-19069, CVE-2019-19081, CVE-2019-19083

Security Advisory Description CVE-2019-19060 A memory leak in the adisupdatescanmode function in drivers/iio/imu/adisbuffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service memory consumption, aka CID-ab612b1daf41. CVE-2019-19067 DISPUTED Four memory leaks in the...

K67090077: Apache HTTP Server vulnerability CVE-2022-22720

Security Advisory Description Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling. CVE-2022-22720 Impact Any authenticated user may exploit this vulnerability and cause a...

K42696541: F5 TMUI XSS vulnerability CVE-2020-5948

Security Advisory Description Undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. CVE-2020-5948 Impact An attacker may exploit this vulnerability using a crafted URL t...

K12252011: OpenSSH vulnerability CVE-2019-6109

Security Advisory Description An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server or Man-in-The-Middle attacker can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional...

K51390683: PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095

Security Advisory Description CVE-2016-5094 Integer overflow in the phphtmlentities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from...

K14594844: Linux kernel Vulnerability CVE-2020-25670

Security Advisory Description A vulnerability was found in Linux Kernel where refcount leak in llcpsockbind causing use-after-free which might lead to privilege escalations. CVE-2020-25670 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5...

K41133903: ISC DHCP vulnerabilities CVE-2022-2928 CVE-2022-2929

Security Advisory Description CVE-2022-2928 In ISC DHCP 4.4.0 - 4.4.3, ISC DHCP 4.1-ESV-R1 - 4.1-ESV-R16-P1, when the function optioncodehashlookup is called from addoption, it increases the option's refcount field. However, there is not a corresponding call to optiondereference to decrement the...

K23675185: Apache Qpid vulnerabilities CVE-2016-3094 and CVE-2016-4432

Security Advisory Description CVE-2016-3094 PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service broker termination via a crafted authentication attempt, which triggers an uncaught...

K46535047: F5 TCP IPv6 vulnerability CVE-2016-9252

Security Advisory Description The Traffic Management Microkernel TMM in F5 BIG-IP systems before 11.5.4 HF3, 11.6.x before 11.6.1 HF2, and 12.x.x before 12.1.2 do not properly handle minimum path MTU options for IPv6, which allows remote attackers to cause a denial of service DoS through...

K43741620: OpenSSL vulnerabilities CVE-2018-0734 and CVE-2018-0735

Security Advisory Description CVE-2018-0734 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a Affected 1.1.1. Fixed in OpenSSL 1.1.0j...

K41320158: Apache vulnerability CVE-2021-26690

Security Advisory Description Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by modsession can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service CVE-2021-26690 Impact There is no impact; F5 products are not affected by this...

K43232343: Linux kernel Vulnerability CVE-2021-31440

Security Advisory Description This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw...

K39428424: SQL injection vulnerability CVE-2017-0304

Security Advisory Description The SQL injection vulnerability in the Configuration utility is related to the BIG-IP AFM system. CVE-2017-0304 Impact An attacker can exploit this vulnerability regardless of the BIG-IP AFM provisioning configuration; however, exploiting this vulnerability does not...

K21540525: F5 TMUI XSS vulnerability CVE-2020-5945

Security Advisory Description Undisclosed TMUI page contains a stored cross site scripting vulnerability XSS. The issue allows a minor privilege escalation for resource admin to escalate to full admin. CVE-2020-5945 Impact A malicious, authenticated user with Resource Administrator privileges may...

K61414056: Apache Tomcat vulnerability CVE-2016-5425

Security Advisory Description The Tomcat package on Red Hat Enterprise Linux RHEL 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the...

K19807532: BIND vulnerability CVE-2020-8619

Security Advisory Description The asterisk character "" is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a...

K12092991: Linux Kernel vulnerability CVE-2020-35519

Security Advisory Description An out-of-bounds OOB memory access flaw was found in x25bind in net/x25/afx25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash o...

K39002226: F5 Advanced WAF and BIG-IP ASM multipart request security exposure

Security Advisory Description Under certain conditions, the F5 Advanced Web Application Firewall Advanced WAF and BIG-IP ASM systems may not correctly detect attack signatures. This issue occurs when the following condition is met: The Advanced WAF or BIG-IP ASM received a client request containi...

K55444705: Apache ActiveMQ vulnerability CVE-2016-6810

Security Advisory Description In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation. CVE-2016-6810 Impact This vulnerabili...

K45062506: Siemens Ethernet card DoS vulnerabilities CVE-2018-11451 and CVE-2018-11452

Security Advisory Description CVE-2018-11451 A vulnerability has been identified in Firmware variant IEC 61850 for EN100 Ethernet module All versions V4.33, Firmware variant PROFINET IO for EN100 Ethernet module All versions, Firmware variant Modbus TCP for EN100 Ethernet module All versions,...

K42065024: PHP vulnerability CVE-2016-4070

Security Advisory Description DISPUTED Integer overflow in the phprawurlencode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service application crash via a long string to the rawurlencode function. NOTE...

K03521623: Linux kernel vulnerability CVE-2017-7541

Security Advisory Description The brcmfcfg80211mgmttx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service buffer overflow and system crash or possibly gain privileges via a crafted NL80211CMDFRAM...

K41415626: Transparent DNS Cache can consume excessive resources

Security Advisory Description When transparent Domain Name System DNS cache is configured on a virtual server, undisclosed Extension Mechanisms for DNS EDNS0 queries can cause the BIG-IP system to send a large volume of User Datagram Protocol UDP traffic on the server side. Note : The DNS cache...

K94142349: BIG-IP Advanced WAF and ASM WebSocket security exposure

Security Advisory Description BIG-IP Advanced WAF and ASM incorrectly handle certain WebSocket requests. This issue occurs when the following condition is met: BIG-IP Advanced WAF or ASM handles a malicious WebSocket message. Impact The attack signature check fails to detect and block requests, a...