Diagnostics 2
Uploaded by
Karthick CyberDiagnostics 2
Uploaded by
Karthick CyberYour software reached its End of Technical Support (EoTS) date on Dec 31 2023.
Support options may be limited and an upgrade is recommended.
Summary Built: Thu, 29 Feb 2024 12:27:49 -0500
QKView generated: Thu, 22 Feb 2024 11:13:19 -0500
F5 iHealth Report Serial Number: f5-pwdg-nbkb
Platform: C117
Version: 14.1.4
GCGRF5DMZ1.cnb.caymannational.com
CRITICAL
D000137353 BIG-IP TMUI Unauthenticated Remote Code Execution vulnerability Fixes Introduced In
K000137353 Undisclosed requests may bypass TMUI authentication. 15.1.10.3
16.1.4.2
17.1.1.1
H23605346 BIG-IP iControl REST vulnerability CVE-2022-1388 Fixes Introduced In
K23605346 Undisclosed requests may bypass iControl REST authentication. 13.1.5
14.1.4.6
15.1.5.1
16.1.2.2
17.0.0
HIGH
D000134652 BIG-IP TCP profile vulnerability CVE-2023-40542 Fixes Introduced In
K000134652 When TCP Verified Accept is enabled on a TCP profile that is configured on a virtual server, undisclosed 15.1.9
requests can cause an increase in memory resource utilization. 16.1.4
17.1.0
Your system is vulnerable if TCP Verified Accept is enabled on a TCP profile that is configured on a Virtual Server. Please check for
these conditions.
D000135689- BIG-IP Configuration utility vulnerability CVE-2023-41373 Fixes Introduced In
K000135689 A directory traversal vulnerability exists in the BIG-IP Configuration utility that may allow an 14.1.5.6
authenticated attacker to execute commands on the BIG-IP system. For BIG-IP systems running in 15.1.10.2
Appliance mode, a successful exploit can allow the attacker to cross a security boundary.
16.1.4.1
17.1.0.3
D000135944 Attack signature check security exposure Fixes Introduced In
K000135944 BIG-IP Advanced WAF, BIG-IP ASM and NGINX App Protect systems incorrectly handle certain requests. 15.1.9
16.1.4
17.1.0
D000137365 BIG-IP TMUI authenticated SQL injection vulnerability CVE-2023-46748 Fixes Introduced In
K000137365 An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility. 15.1.10.3
16.1.4.2
17.1.1.1
D21800102 HTTP RFC enforcement is bypassed when a redirect iRule is applied to Fixes Introduced In
K21800102 A specifically crafted HTTP request may bypass BIG-IP HTTP RFC enforcement and may lead the BIG-IP 15.1.9
system to pass malformed HTTP requests to a target pool member web server. 16.1.4
17.1.0
D26910459 BIG-IP iControl REST vulnerability CVE-2023-42768 Fixes Introduced In
K26910459 When a non-admin user has been assigned an administrator role via an iControl REST PUT request and 15.1.9
later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl 16.1.4
REST, the BIG-IP non-admin user can still access the iControl REST admin resource.
17.1.0
Thursday 29 February 2024 Page 1 of 27
GCGRF5DMZ1.cnb.caymannational.com
HIGH
D75431121 BIG-IP APM OAuth Bearer with SSO does not process HTTP headers as Fixes Introduced In
K75431121 BIG-IP APM OAuth Bearer Single Sign-On (SSO) may forward HTTP headers as-is without the expected 15.1.9
processing when Bearer SSO is configured, API Protection profile is in use, and OAuth token failure 16.1.4
occurs
17.1.0
H000132726 BIG-IP Configuration utility XSS vulnerability CVE-2023-27378 Fixes Introduced In
K000132726 Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP 14.1.5.4
Configuration utility that allow an attacker to run JavaScript in the context of the currently logged-in user 15.1.8.2
16.1.3.4
17.1.0.1
H000132972 BIG-IP iQuery mesh vulnerability CVE-2023-28742 Fixes Introduced In
K000132972 When DNS is provisioned, an authenticated remote command execution vulnerability exists in DNS 14.1.5.4
iQuery mesh 15.1.8.2
16.1.3.4
17.1.0.1
The 'big3d' process is vulnerable.
H000133474 BIG-IP Configuration utility vulnerability CVE-2023-38138 Fixes Introduced In
K000133474 A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP 14.1.5.5
Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in 15.1.9.1
user.
16.1.3.5
17.1.0.2
H00602225 BIG-IP Advanced WAF and ASM vulnerability CVE-2021-23028 Fixes Introduced In
K00602225 Traffic is disrupted while the bd process restarts. This vulnerability allows a remote attacker to cause a 13.1.4
denial of service (DoS) on the BIG-IP system. There is no control plane exposure, this is a data plane 14.1.4.2
issue only.
15.1.3.1
16.0.1.2
16.1.0
H03442392 BIG-IP ASM & Advanced WAF vulnerability CVE-2022-26890 Fixes Introduced In
K03442392 When ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is 13.1.5
configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, 14.1.4.6
undisclosed requests can cause the bd process to terminate.
15.1.5
16.1.2.1
17.0.0
H04305530 SCP vulnerability CVE-2020-15778 Fixes Introduced In
K04305530 scp in OpenSSH through 8.3p1 allows command injection in scp.c remote function, as demonstrated by
backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they
intentionally omit validation of "anomalous argument transfers" because that could "stand a great
chance of breaking existing workflows."
H05122252 Bash vulnerability CVE-2012-6711 Fixes Introduced In
K05122252 A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the 14.1.4.6
current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. 15.1.5.1
A local attacker, who can provide data to print through the "echo -e" built-in function, may use this flaw
to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr()
16.1.2.2
in lib/sh/strtrans.c mishandles u32cconv(). 17.0.0
H05295469 Expat vulnerability CVE-2019-15903 Fixes Introduced In
K05295469 In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to 13.1.5
document parsing too early; a consecutive call to 14.1.4.5
Thursday 29 February 2024 Page 2 of 27
GCGRF5DMZ1.cnb.caymannational.com
HIGH
XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer 15.1.4.1
over-read. 16.1.2
17.0.0
H06524534 Linux kernel vulnerability CVE-2021-22555 Fixes Introduced In
K06524534 A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. 15.1.8
This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user 16.1.4
name space
17.1.0
H07020416 Linux kernel vulnerability CVE-2017-18344 Fixes Introduced In
K07020416 The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 16.1.0
doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access
in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to
read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and
CONFIG_CHECKPOINT_RESTORE).
H07944249 Node.js vulnerability CVE-2020-8277 Fixes Introduced In
K07944249 A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could 14.1.4.4
trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application 15.1.4.1
to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
16.1.0
H08832573 DHCP vulnerability CVE-2021-25217 Fixes Introduced In
K08832573 In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., 15.1.9
releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life (EOL) 16.1.4
and no longer supported by ISC. From inspection it is clear that the defect is also present in releases
from those series, but they have not been officially tested for the vulnerability), The outcome of
17.1.0
encountering the defect while reading a lease that will trigger it varies, according to: the component
being affected (i.e., dhclient or dhcpd) whether the package was built as a 32-bit or 64-bit binary whether
the compiler flag -fstack-protection-strong was used when compiling In dhclient, ISC has not
successfully reproduced the error on a 64-bit system. However, on a 32-bit system it is possible to cause
dhclient to crash when reading an improper lease, which could cause network connectivity problems for
an affected system due to the absence of a running DHCP client process. In dhcpd, when run in DHCPv4
or DHCPv6 mode: if the dhcpd server binary was built for a 32-bit architecture AND the -fstack-
protection-strong flag was specified to the compiler, dhcpd may exit while parsing a lease file containing
an objectionable lease, resulting in lack of service to clients. Additionally, the offending lease and the
lease immediately following it in the lease database may be improperly deleted. if the dhcpd server
binary was built for a 64-bit architecture OR if the -fstack-protection-strong compiler flag was NOT
specified, the crash will not occur, but it is possible for the offending lease and the lease which
immediately followed it to be improperly deleted.
H11426315 BIND vulnerability CVE-2021-25214 Fixes Introduced In
K11426315 In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29- 14.1.4.4
S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 15.1.4
-> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a
malformed IXFR triggering the flaw described above, the named process will terminate due to a failed
16.0.1.2
assertion the next time the transferred secondary zone is refreshed. 16.1.0
H11830089 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2022- Fixes Introduced In
K11830089 When the F5 BIG-IP Advanced WAF or BIG-IP ASM module is provisioned, an authenticated remote code 13.1.5.1
execution vulnerability exists in the BIG-IP iControl REST interface. 14.1.5.1
15.1.6.1
16.1.3.1
17.0.0
Thursday 29 February 2024 Page 3 of 27
GCGRF5DMZ1.cnb.caymannational.com
HIGH
H13213418 BIG-IP monitor configuration vulnerability CVE-2022-35735 Fixes Introduced In
K13213418 An authenticated attacker with Resource Administrator or Manager privileges can create or modify 14.1.5.1
existing monitor objects in the Configuration utility in an undisclosed manner leading to a privilege 15.1.6.1
escalation.
16.1.3.1
17.0.0
H15402727 cURL vulnerability CVE-2020-8286 Fixes Introduced In
K15402727 curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient 15.1.10
verification of the OCSP response. 16.1.4
17.1.1
H17542533 BIG-IP Advanced WAF and ASM vulnerability CVE-2023-23552 Fixes Introduced In
K17542533 When a BIG-IP Advanced WAF or BIG-IP ASM security policy is configured on a virtual server, 14.1.5.3
undisclosed requests can cause an increase in memory resource utilization 15.1.8
16.1.3.3
17.0.0.2
17.1.0
H18484125 Eclipse Jetty vulnerability CVE-2020-27216 Fixes Introduced In
K18484125 In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru
11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users
on that system. A collocated user can observe the process of creating a temporary sub directory in the
shared temporary directory and race to complete the creation of the temporary subdirectory. If the
attacker wins the race then they will have read and write permission to the subdirectory used to unpack
web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of
this temporary directory, this can lead to a local privilege escalation vulnerability.
H19473898 Multiple Expat vulnerabilities CVE-2022-23852, CVE-2022-25235, CVE- Fixes Introduced In
K19473898 A remote attacker could send specially crafted XML which, when parsed by an application using the 15.1.9
Expat library, would result in a buffer over-read and cause the application to stop responding. 16.1.4
17.1.0
H20717585 BIG-IP APM OAuth vulnerability CVE-2023-22341 Fixes Introduced In
K20717585 When the BIG-IP APM system is configured with an an OAuth Server that references an OAuth Provider, 14.1.5.3
an OAuth profile with the Authorization Endpoint set to '/', and an access profile which references that
OAuth profile and is associated with an HTTPS virtual server, undisclosed requests may cause TMM to
terminate
H21317311 Guided Configuration XSS vulnerability CVE-2022-27230 Fixes Introduced In
K21317311 A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of BIG-IP Guided 17.0.0
Configuration (GC) that allows an attacker to execute JavaScript in the context of the currently logged-in
user.
H21435974 TMUI XSS vulnerability CVE-2021-23037 Fixes Introduced In
K21435974 An attacker may exploit this vulnerability by causing an authenticated user to send a crafted URL that is
then reflected back and executed by the user's web browser. If successful, an attacker can run
JavaScript in the context of the currently logged-in user. In the case of an administrative user with
access to the Advanced Shell (bash), an attacker can leverage successful exploitation of this
vulnerability to compromise the BIG-IP system.
H23157312 PostgreSQL vulnerability CVE-2020-13692 Fixes Introduced In
K23157312 PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. 13.1.5
14.1.4.4
15.1.4.1
16.1.2
Thursday 29 February 2024 Page 4 of 27
GCGRF5DMZ1.cnb.caymannational.com
HIGH
H23231802 Expat vulnerability CVE-2021-46143 Fixes Introduced In
K23231802 In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for
m_groupSize.
H23421535 Expat vulnerabilities CVE-2022-22822, CVE-2022-22823, and CVE- Fixes Introduced In
K23421535 A remote attacker could send specially crafted XML which, when parsed by an application using the
Expat library, would result in a buffer over-read and cause the application to stop responding.
H23454411 BIG-IP DNS profile vulnerability CVE-2022-26372 Fixes Introduced In
K23454411 When a DNS listener is configured on a virtual server with DNS queueing (default), undisclosed requests 13.1.5
can cause an increase in memory resource utilization. 14.1.4.6
15.1.0.2
16.0.0
/Common/cayman-listener has profile /Common/dns with DNS listener
H24207649 GNU C Library (glibc) vulnerability CVE-2021-3999 Fixes Introduced In
K24207649 A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory 15.1.9
corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and 16.1.4
size passed to getcwd() in a setuid program could use this flaw to potentially run arbitrary code and
escalate their privileges on the system.
17.1.0
H24301698 TMUI XSS vulnerability CVE-2021-23027 Fixes Introduced In
K24301698 An attacker may exploit this vulnerability by convincing an authenticated user to submit malicious HTML 14.1.4.3
or JavaScript code in the BIG-IP Configuration utility. If the exploit is successful, an attacker can run 15.1.3.1
JavaScript in the context of the currently logged-in user. In the case of an administrative user with
access to the Advanced Shell (bash), successful exploitation of this vulnerability can be leveraged to
16.0.1.2
completely compromise the BIG-IP system. 16.1.0
H27155546 BIND vulnerability CVE-2022-38177 Fixes Introduced In
K27155546 By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can
trigger a small memory leak. It is possible to gradually erode available memory to the point where named
crashes for lack of resources.
H27238230 glibc vulnerability CVE-2020-29573 Fixes Introduced In
K27238230 sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack- 14.1.4.5
based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a 15.1.4.1
non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to
sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because of
16.1.2
commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words,
the reference to 2.23 is intentional despite the mention of "Fixed for glibc 2.33" in the 26649 reference.
H28622040 Python vulnerability CVE-2019-9948 Fixes Introduced In
K28622040 urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote 13.1.5
attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a 14.1.4.5
urllib.urlopen('local_file:///etc/passwd') call.
15.1.4.1
16.1.2
17.0.0
H29500533 TMUI XSS vulnerability CVE-2022-23013 Fixes Introduced In
K29500533 A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP 14.1.4.4
Configuration utility which allows an attacker to execute JavaScript in the context of the current logged- 15.1.4
in user. An attacker may exploit this vulnerability by
Thursday 29 February 2024 Page 5 of 27
GCGRF5DMZ1.cnb.caymannational.com
HIGH
causing an authenticated user to submit malicious HTML or JavaScript code in the BIG-IP Configuration 16.1.0
utility. If successful, an attacker can run JavaScript in the context of the currently logged-in user. In the
case of an administrative user with access to the Advanced Shell (bash), an attacker can leverage
successful exploitation of this vulnerability to compromise the BIG-IP system.
This heuristic does not check for a workaround.
H30150004 The BIG-IP Advanced WAF/ASM attack signature check may fail to Fixes Introduced In
K30150004 The BIG-IP Advanced Web Application Firewall (WAF) and ASM attack signature check may fail to detect 13.1.4.1
and block malicious request containing certain decimal-coded characters. 14.1.4.2
15.1.3.1
16.0.1.2
16.1.0
H30291321 Advanced WAF and BIG-IP ASM attack signature check may fail to Fixes Introduced In
K30291321 The F5 Advanced Web Application Firewall (WAF) and BIG-IP ASM attack signature check may fail to 11.6.5.3
detect and block illegal requests. This issue occurs when the affected policy is configured as case 12.1.6
insensitive (the Policy is case sensitive setting is disabled); one of the words from the attack signature
matches that of the parameter name; the word from the attack signature is case sensitive; it does not
13.1.4.1
have the nocase modifier in the signature. 14.1.4.2
15.1.2.1
16.0.1.2
16.1.0
H30911244 BIG-IP Advanced WAF/ASM and NGINX App Protect attack signature Fixes Introduced In
K30911244 The BIG-IP Advanced WAF/ASM and NGINX App Protect attack signature check may fail to detect and 14.1.4.5
block certain HTTP requests when some signatures are disabled on security policy and wildcard header. 15.1.4.1
The attack signature check fails to detect and block such requests as expected of a security policy.
16.1.2
H31323265 OpenSSL vulnerability CVE-2022-0778 Fixes Introduced In
K31323265 It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the certificate signature, any process that
parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite
loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve
parameters.
The following clientssl profiles are used by at least one virtual server:
/Common/fda-preprod_client is assigned to /Common/fda-preprod
/Common/ActiveSync.app/ActiveSync_clientssl is assigned to /Common/ActiveSync.app/ActiveSync_combined_https
/Common/clientssl_3ds is assigned to /Common/prod-3DS
/Common/fda-prod_client is assigned to /Common/fda-prod
H32760744 libxml2 vulnerability CVE-2022-23308 Fixes Introduced In
K32760744 valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. 15.1.8
16.1.4
17.1.0
H33552735 BIG-IP Edge Client for Windows vulnerability CVE-2022-29263 Fixes Introduced In
K33552735 The BIG-IP Edge Client Component Installer Service does not use best practice while saving temporary 13.1.5
files. 14.1.4.6
15.1.5.1
16.1.2.2
17.0.0
Thursday 29 February 2024 Page 6 of 27
GCGRF5DMZ1.cnb.caymannational.com
HIGH
H36462841 Linux kernel vulnerability CVE-2018-18281 Fixes Introduced In
K36462841 Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable 13.1.5
locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle 14.1.4.6
of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it
has been released back to the page allocator and reused. This is fixed in the following kernel versions:
14.1.5
4.9.135, 4.14.78, 4.18.16, 4.19. 15.1.5.1
15.1.6
16.1.2.2
16.1.3
17.0.0
H39002226 F5 Advanced WAF and BIG-IP ASM multipart request security Fixes Introduced In
K39002226 Under certain conditions, the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM 13.1.5
systems may not correctly detect attack signatures. This issue occurs when the Advanced WAF or BIG- 14.1.4.6
IP ASM received a client request containing a specially-crafted multipart body.
15.1.5.1
16.1.2.2
17.0.0
H40508224 Perl vulnerability CVE-2020-10878 Fixes Introduced In
K40508224 Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" 14.1.4.5
situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction 15.1.4.1
injection.
15.1.5
16.1.2
17.0.0
H41440465 BIG-IP TMM vulnerability CVE-2022-26071 Fixes Introduced In
K41440465 A flaw in the way reply ICMP packets are limited in Traffic Management Microkernel (TMM) was found 13.1.5
that allows to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively 14.1.4.6
bypass source port UDP randomization.
15.1.5.1
16.1.2.2
17.0.0
H41503304 Advanced WAF and ASM and Nginx App Protect Attack Signature Fixes Introduced In
K41503304 The BIG-IP Advanced WAF/ASM and Nginx App Protect systems attack signature check may fail to 13.1.4.1
match attack signature 200000128 as expected for certain undisclosed requests. This issue occurs when 14.1.4.4
BIG-IP Advanced WAF or BIG-IP ASM modules or Nginx App Protect is configured and an attack
signature 200000128 is enabled on the policy.
15.1.4
16.0.1.2
16.1.1
H44454157-1 Expat vulnerability CVE-2022-40674 Fixes Introduced In
K44454157 libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c 15.1.9
16.1.4
17.1.1
This BIG-IP/BIG-IQ system's iControl SOAP is vulnerable.
This heuristic does not check for any mitigation.
H44454157-3 Expat vulnerability CVE-2022-40674 Fixes Introduced In
K44454157 libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c 15.1.9
16.1.4
17.1.1
This BIG-IP (DNS) system's big3d process is vulnerable.
This heuristic does not check for any mitigation.
Thursday 29 February 2024 Page 7 of 27
GCGRF5DMZ1.cnb.caymannational.com
HIGH
H45407662 BIG-IP DNS vulnerability CVE-2021-23032 Fixes Introduced In
K45407662 Traffic is disrupted while the TMM process restarts. This vulnerability allows a remote attacker to cause 14.1.4.4
a denial of service (DoS) on the BIG-IP system. There is no control plane exposure, this is a data plane 15.1.3.1
issue only.
16.1.0
This heuristic does not check for non-default configurations. When a BIG-IP DNS system is configured with non-default Wide IP and
pool settings, undisclosed DNS responses can cause TMM to crash. Please check the settings.
The following Wide IPs have a pool:
/Common/onlineprod.glb-external.caymannational.com associated with pool '/Common/fda-prod'
/Common/3ds.glb-external.caymannational.com associated with pool '/Common/3ds-prod'
/Common/onlinepreprod.glb-external.caymannational.com associated with pool '/Common/fda-preprod'
H48321015 The BIG-IP Advanced WAF and ASM systems may fail to correctly Fixes Introduced In
K48321015 The BIG-IP Advanced WAF and ASM systems may fail to correctly enforce HTML form login pages when 11.6.5.3
the request contains an incorrectly formatted parameter. This issue occurs when the security policy 12.1.6
includes a configuration that enables brute force protection for the HTML form login page.
13.1.4
14.1.4.1
15.1.3
16.0.1.2
16.1.0
H49237345 BIG-IP Advanced WAF, ASM, and NGINX App Protect Fixes Introduced In
K49237345 F5 BIG-IP Advanced WAF, BIG-IP ASM, and NGINX App Protect WAF incorrectly handle certain requests. 13.1.5
This issue occurs when .Advanced WAF, BIG-IP ASM, or NGINX App Protect WAF handles a malicious 14.1.4.6
request with XML content type and XML request body.
15.1.5.1
16.1.2.2
17.0.0
H494013 A password policy is not configured or can be strengthened. Fixes Introduced In
K15497 F5 recommends that you configure a secure password policy for the BIG-IP system.
K5962
There is no password policy in place.
H49549213 Advanced WAF and BIG-IP ASM brute force mitigation may fail when Fixes Introduced In
K49549213 F5 Advanced Web Application Firewall (WAF) and BIG-IP ASM brute force mitigation may fail. This issue 13.1.4.1
occurs when all of the following ca security policy is configured with a login page using basic 14.1.4.2
authentication as its authentication type and the Advanced WAF and BIG-IP ASM systems received a
specially crafted request for the login page.
15.1.3
16.0.1.2
16.1.0
This Advanced WAF and BIG-IP ASM system may fail to stop brute force attacks on the protected login page.
H53854428 iControl SOAP vulnerability CVE-2021-23026 Fixes Introduced In
K53854428 An attacker may trick authenticated users into performing critical actions. This vulnerability can only be 13.1.4.1
exploited through the control plane and cannot be exploited through the data plane. Exploitation can 14.1.4.2
lead to complete system compromise.
15.1.3
16.0.1.2
16.1.0
H54460845 BIG-IP Edge Client for Windows vulnerability CVE-2022-28714 Fixes Introduced In
K54460845 A DLL Hijacking vulnerability exists in the BIG-IP Edge Client Windows Installer. 13.1.5
14.1.4.6
15.1.5.1
16.1.2.2
Thursday 29 February 2024 Page 8 of 27
GCGRF5DMZ1.cnb.caymannational.com
HIGH
17.0.0
H54724312 Linux kernel vulnerability CVE-2022-0492 Fixes Introduced In
K54724312 A vulnerability was found in the Linux kernel&#8217;s cgroup_release_agent_write in the 15.1.9
kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the 16.1.4
cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation
unexpectedly.
17.1.0
H55580033 iControl REST vulnerability CVE-2022-35728 Fixes Introduced In
K55580033 An authenticated user's iControl REST token may remain valid for a limited time after logging out from 14.1.5.1
the Configuration utility. 15.1.6.1
16.1.3.1
17.0.0.1
H56412001 BIG-IP SSL OCSP Authentication profile vulnerability CVE-2023-22323 Fixes Introduced In
K56412001 When OCSP authentication profile is configured on a virtual server, undisclosed requests can cause an 14.1.5.3
increase in CPU resource utilization 15.1.8.1
16.1.3.3
17.0.0.2
17.1.0
H66510514 TMM vulnerability CVE-2022-34862 Fixes Introduced In
K66510514 When an LTM Virtual Server is configured to perform normalization, undisclosed requests can cause the 14.1.5
Traffic Management Microkernel (TMM) to terminate. 15.1.6.1
16.1.3.1
17.0.0
You are running BIG-IP Access Policy Manager (APM).
You are running BIG-IP Application Security Manager (ASM). If you are running BIG-IP ASM Risk Engine, you are vulnerable to this
issue.
H67397230 BIG-IP ASM, Advanced WAF, and NGINX App Protect normalizing Fixes Introduced In
K67397230 The BIG-IP ASM, F5 Advanced Web Application Firewall (Advanced WAF), and NGINX App Protect 14.1.4.6
systems incorrectly normalize certain strings. 15.1.5
16.1.2.1
17.0.0
H67416037 Linux kernel vulnerability CVE-2021-23133 Fixes Introduced In
K67416037 A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel 15.1.8
privilege escalation from the context of a network service or an unprivileged process. If 16.1.4
sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed
from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with
17.1.0
network service privileges to escalate to root or from the context of an unprivileged user directly if a
BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.
H70134152 BIG-IP ASM, F5 Advanced WAF, and NGINX App Protect encoded Fixes Introduced In
K70134152 The BIG-IP ASM, F5 Advanced Web Application Firewall (Advanced WAF), and NGINX App Protect 13.1.5
systems may fail to detect encoded directory traversal in the URL. This issue occurs when the affected 14.1.4.4
security policy is enabled with an evasion technique detected violation (enabled by default).
15.1.4
16.1.1
17.0.0
H70300233 BIG-IP TMUI XSS vulnerability CVE-2022-28707 Fixes Introduced In
K70300233 A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG- IP 14.1.4.6
Configuration utility that allows an attacker to execute JavaScript in the context 15.1.5.1
Thursday 29 February 2024 Page 9 of 27
GCGRF5DMZ1.cnb.caymannational.com
HIGH
of the currently logged-in user. 16.1.2.2
17.0.0
H70415522 TMM vulnerability CVE-2021-23035 Fixes Introduced In
K70415522 Traffic is disrupted while the TMM process restarts. This vulnerability allows a remote attacker to cause 14.1.4.4
a denial of service (DoS) on the BIG-IP system. There is no control plane exposure, this is a data plane
issue only.
The following configurations use HTTP profiles:
This heuristic does not check for a workaround
HTTP profile /Common/http-strict with server: /Common/prod-3DS
HTTP profile /Common/ActiveSync.app/ActiveSync_http_profile with servers:
/Common/ActiveSync.app/ActiveSync_combined_https, /Common/ActiveSync.app/ActiveSync_combined_http
HTTP profile /Common/http-strict-xff with servers: /Common/fda-preprod, /Common/fda-prod
HTTP profile /Common/http with server: /Common/fda-prod-redirect
H70569537 BIG-IP DNS Express vulnerability CVE-2022-41787 Fixes Introduced In
K70569537 When DNS profile is configured on a virtual server with DNS Express enabled, undisclosed DNS queries 13.1.5.1
with DNSSEC can cause TMM to terminate. 14.1.5.1
15.1.6.1
16.1.3.1
17.0.0.1
The following DNS profile with running DNS Express is found on the system:
/Common/dns in use by virtual server '/Common/cayman-listener'
H709036 SSL certificates are expired, about to expire, or are not yet valid Fixes Introduced In
K8187 SSL certificates have specific date ranges that identify when they are valid. The following output lists
K15664 expired, nearly expired, and not yet valid certificates, grouped by their status and whether they are in
use by a BIG-IP traffic object. Please note that in qkview files generated on BIG-IP 11.x systems, this
diagnostic does not calculate whether SSL certificates are not yet valid.
Here is a summary of certificates grouped by status and usage:
Expired SSL certificate associated with one or more profiles, but not in use by any virtual servers:
SSL certificate '/Common/cert_3dstest-2022' has the expiration date Aug 15 23:59:59 2022 GMT
Profile using this certificate: /Common/clientssl_3dstest
Expired SSL certificates not in use by any profiles or virtual servers:
SSL certificate '/Common/connect-external' has the expiration date Nov 11 23:59:59 2022 GMT
SSL certificate '/config/ssl/ssl.crt/ca-bundle.crt' has the expiration date Thu Dec 8 11:10:28 2022
Expired SSL certificates in use by one or more virtual servers:
SSL certificate '/Common/OnlinepreprodFDA' has the expiration date Oct 17 23:59:59 2023 GMT
Virtual server using this certificate: /Common/fda-preprod
Profiles using this certificate: /Common/fda-preprod_client, /Common/fda-preprod_client
SSL certificate '/Common/ActiveSync' has the expiration date Aug 30 23:59:59 2023 GMT
Virtual server using this certificate: /Common/ActiveSync.app/ActiveSync_combined_https
Thursday 29 February 2024 Page 10 of 27
GCGRF5DMZ1.cnb.caymannational.com
HIGH
Profile using this certificate: /Common/ActiveSync.app/ActiveSync_clientssl
Refer to an AskF5 publication 'SSL Administration/Device Certificate Management'
H72382141 Apache HTTPD vulnerability CVE-2021-34798 Fixes Introduced In
K72382141 Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache 15.1.7
HTTP Server 2.4.48 and earlier. 16.1.4
17.0.0
H727910 The configuration contains user accounts with insecure passwords Fixes Introduced In
K11719 The passwords for the accounts listed below are either default passwords or commonly used
passwords, and are susceptible to compromise.
The user account 'root' has a default password
H91589041 Expat vulnerabilities CVE-2021-45960, CVE-2022-22825, CVE-2022- Fixes Introduced In
K91589041 A remote attacker could send specially crafted XML which, when parsed by an application using the
Expat library, would result in a buffer over-read and cause the application to stop responding.
H93504311 TMM vulnerability CVE-2022-34655 Fixes Introduced In
K93504311 When an iRule containing the HTTP::payload command is configured on a virtual server, undisclosed 14.1.5
traffic can cause Traffic Management Microkernel (TMM) to terminate. 15.1.6.1
16.0.1.1
16.1.0
17.0.0
The iRule /Common/_sys_APM_ExchangeSupport_main uses the <HTTP_RESPONSE_DATA> HTTP::payload command.
The iRule /Common/ActiveSync.app/ActiveSync_combined_pool_irule3 uses the <HTTP_RESPONSE> HTTP::payload
command.
H94221585 iControl SOAP vulnerability CVE-2022-41622 Fixes Introduced In
K94221585 BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP 14.1.5.3
15.1.8.1
16.1.3.3
17.0.0.2
H96223611 BIND vulnerability CVE-2021-25215 Fixes Introduced In
K96223611 In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 14.1.4.4
-> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of 15.1.4
the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record
triggering the flaw described above, the named process will terminate due to a failed assertion check.
16.0.1.2
The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well 16.1.0
as all other versions of BIND 9.
MEDIUM
D06110200 BIG-IP and BIG-IQ TACACS+ audit log vulnerability CVE-2023-43485 Fixes Introduced In
K06110200 When TACACS+ audit forwarding is configured on a BIG-IP or BIG-IQ system, shared secret is logged in 15.1.9
plaintext in the audit log. 16.1.4
17.1.0
If TACACS+ audit forwarding is configured, this system is affected by this vulnerability.
Thursday 29 February 2024 Page 11 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
D061719 Guided video demonstrations and free training for upgrading BIG-IP Fixes Introduced In
K41125752 Using the latest versions of BIG-IP software ensures that you have access to the most advanced
capabilities, the highest quality software, and the most secure releases. F5 recommends implementing
BIG-IP 14.1.x for BIG-IP appliances and BIG-IP 15.1.x for BIG-IP VEs, at a minimum.
Consider upgrading to BIG-IP 15.1.1 or higher for BIG-IP VEs.
D064237-1 The system experiences high CPU usage caused by the restjavad Fixes Introduced In
The restjavad process may become unstable if the amount of memory required by the process exceeds
the value allocated for its use. Overall system performance is degraded during the continuous restart of
the restjavad process due to relatively high CPU usage.
AVR module is provisioned and may consume additional resources.
D097135 TMM vulnerability CVE-2021-23007 Fixes Introduced In
K37451543 TMM incorrectly determines that the fragment memory limit has been reached and drops all fragments it
receives disrupting traffic to the BIG-IP system. Run the 'tmctl ip_stat' command from the BIG-IP
command line and review the output for an unusually large value in the 'frag_bytes_used' column for a
given TMM. It is possible that some TMM processes have high values and others do not.
This version is susceptible to a packet drop.
D20307245 BIG-IP tmsh vulnerability CVE-2023-45219 Fixes Introduced In
K20307245 Exposure of Sensitive Information vulnerability exist in an undisclosed BIG-IP TMOS shell (tmsh) 15.1.10
command which may allow an authenticated attacker with resource administrator role privileges to view 16.1.4
sensitive information.
17.1.0.1
17.1.1
D20850144 BIG-IP and BIG-IQ DB variable vulnerability CVE-2023-41964 Fixes Introduced In
K20850144 The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) 15.1.9
variables. 16.1.4
17.1.0
D98334513 BIG-IP DNS TSIG Key vulnerability CVE-2023-41253 Fixes Introduced In
K98334513 When a BIG-IP DNS or BIG-IP LTM system is enabled with the DNS Services license, and a TSIG key is 15.1.9
created, the key is logged in plaintext in the audit log. 16.1.4
17.1.0
This device is vulnerable if it is a BIG-IP DNS system or a BIG-IP LTM enabled with DNS Services License. If so, check if a TSIG
key was created.
D98606833 BIG-IP and BIG-IQ secure copy vulnerability CVE-2024-21782 Fixes Introduced In
K98606833 BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy 15.1.9
(scp) utility but do not have access to Advanced Shell (bash) can execute arbitrary commands with a 16.1.4
specially crafted command string. This vulnerability is due to an incomplete fix for CVE-2020-5873.
17.1.1
H000132768 BIG-IP Configuration utility vulnerability CVE-2023-28406 Fixes Introduced In
K000132768 A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that 14.1.5.4
may allow an authenticated attacker to read files with an .xml extension. Access to restricted information 15.1.8.2
is limited and the attacker does not control what information is obtained
16.1.3.4
17.1.0
H000133472 BIG-IP and BIG-IQ iControl SOAP vulnerability CVE-2023-38419 Fixes Introduced In
K000133472 An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to 14.1.5.5
terminate by sending undisclosed requests. 15.1.9.1
Thursday 29 February 2024 Page 12 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
16.1.3.5
17.1.0.2
H000134535 BIG-IP Configuration utility vulnerability CVE-2023-38423 Fixes Introduced In
K000134535 A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility 14.1.5.5
that allows an attacker to run JavaScript in the context of the currently logged-in user. 15.1.9.1
16.1.3.5
17.1.0.2
H01512680 Linux kernel vulnerability CVE-2019-11811 Fixes Introduced In
K01512680 An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read 14.1.4.3
access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, 15.1.4
drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.
16.0.1.2
16.1.1
H02453220 jQuery vulnerability CVE-2020-11022 Fixes Introduced In
K02453220 In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources -
even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and
others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
H04107324 Linux kernel vulnerability CVE-2019-3900 Fixes Introduced In
K04107324 An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1- 13.1.4.1
rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than 14.1.4.2
the other end can process them. A guest user, maybe remote one, could use this flaw to stall the
vhost_net kernel thread, resulting in a DoS scenario.
15.1.4
16.0.1.2
16.1.0
H04303225 Intel BIOS vulnerability CVE-2021-0190 Fixes Introduced In
K04303225 Uncaught exception in the BIOS firmware for some Intel(R) Processors may allow a privileged user to
potentially enable aescalation of privilege via local access.
H04337834 Linux kernel vulnerability CVE-2017-10661 Fixes Introduced In
K04337834 Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or 14.1.5
cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations 15.1.5.1
that leverage improper might_cancel queueing.
16.1.0
H08152433 Intel processors MMIO stale data vulnerability CVE-2022-21166 Fixes Introduced In
K08152433 Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow
an authenticated user to potentially enable information disclosure via local access.
H08402414 BIG-IP ASM and Advanced WAF REST API endpoint vulnerability CVE- Fixes Introduced In
K08402414 An authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST 14.1.4.5
endpoint causing an increase in disk resource utilization. 15.1.4.1
16.1.2
This heuristic does not check for a workaround.
H08641512 glibc vulnerability CVE-2020-27618 Fixes Introduced In
K08641512 The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid
multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to
advance the input state, which could lead to an infinite loop in applications, resulting in a denial of
service, a different vulnerability from CVE-2016-10228.
Thursday 29 February 2024 Page 13 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
H08827426 Vim vulnerability CVE-2022-0359 Fixes Introduced In
K08827426 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. 15.1.9
16.1.4
17.1.0
H09081535 QEMU vulnerability CVE-2020-14364 Fixes Introduced In
K09081535 An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 13.1.5
5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 14.1.4.4
'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines.
This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential
15.1.4.1
execution of arbitrary code with the privileges of the QEMU process on the host. 16.1.0
H11315080 OpenSSH vulnerability CVE-2018-20685 Fixes Introduced In
K11315080 In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access
restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the
target directory on the client side.
H11542555 iApps vulnerability CVE-2020-17507 Fixes Introduced In
K11542555 An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in
gui/image/qxbmhandler.cpp has a buffer over-read.
H11742742 iControl REST vulnerability CVE-2022-23023 Fixes Introduced In
K11742742 An authenticated iControl REST user can cause an increase in memory resource utilization via 14.1.4.5
undisclosed requests. System performance degradation can occur until the process is either forced to 15.1.5
restart or manually restarted. This vulnerability allows an authenticated remote attacker to cause a
degradation of service that can lead to a denial-of-service (DoS) on the BIG-IP system.
16.1.2.1
H14335949 Intel processors vulnerability CVE-2022-24436 Fixes Introduced In
K14335949 Observable behavioral in power management throttling for some Intel(R) Processors may allow an
authenticated user to potentially enable information disclosure via network access. (CVE-2022-24436
also known as hertzbleed)
H14454359 Intel BIOS vulnerability CVE-2021-0153 Fixes Introduced In
K14454359 Out-of-bounds write in the BIOS firmware for some Intel(R) Processors may allow a privileged user to
potentially enable aescalation of privilege via local access.
H15101402 iControl REST vulnerability CVE-2022-1468 Fixes Introduced In
K15101402 An authenticated iControl REST user with at least guest role privileges can cause processing delays to
iControl REST requests via undisclosed requests.
H16162257 Intel BIOS vulnerability CVE-2021-0154 Fixes Introduced In
K16162257 Improper input validation in the BIOS firmware for some Intel(R) Processors may allow a privileged user
to potentially enable an escalation of privilege via local access.
H16729408 D-Bus vulnerability CVE-2020-12049 Fixes Introduced In
K16729408 An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus- 15.1.4.1
daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local
attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket
could use this to make the system service reach its file descriptor limit, denying service to subsequent
D-Bus clients.
H21054458 Eclipse Jetty vulnerability CVE-2017-7656 Fixes Introduced In
K21054458 In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration 15.1.9
with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. 16.1.4
method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9
request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but
17.1.1
did not act on
Thursday 29 February 2024 Page 14 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be
used to poison the cache if the server allowed the origin client to generate arbitrary content in the
response.
H21350967 OpenSSH vulnerability CVE-2019-6111 Fixes Introduced In
K21350967 An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp,
the server chooses which files/directories are sent to the client. However, the scp client only performs
cursory validation of the object name returned (only directory traversal attacks are prevented). A
malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target
directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for
example, to overwrite the .ssh/authorized_keys file).
H21548854 zlib vulnerability CVE-2018-25032 Fixes Introduced In
K21548854 zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has
many distant matches.
H22251611 Attack signature check security exposure Fixes Introduced In
K22251611 BIG-IP Advanced WAF and BIG-IP ASM systems incorrectly handle certain requests. This issue occurs 14.1.5
when BIG-IP Advanced WAF and BIG-IP ASM handle a malicious request when a parameter with Base64 15.1.6.1
decoding is enabled.
16.1.2.2
17.0.0
H22505850 BIG-IP and BIG-IQ iControl REST vulnerability CVE-2022-41770 Fixes Introduced In
K22505850 An authenticated iControl REST user can cause an increase in memory resource utilization, via 14.1.5.1
undisclosed requests. 15.1.7
16.1.3.1
17.0.0.1
H23153696 Apache HTTPD vulnerability CVE-2020-1927 Fixes Introduced In
K23153696 In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be 14.1.4.5
self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL 15.1.5.1
within the request URL.
16.1.2.2
17.0.0
H25046752 Traffic intelligence feeds vulnerability CVE-2022-34865 Fixes Introduced In
K25046752 Traffic Intelligence feeds, which use HTTPS, do not verify the remote endpoint identity, allowing for 14.1.5
potential data poisoning. 15.1.6.1
16.1.0
H31445234 Intel I210 network adapter vulnerability CVE-2020-0523 Fixes Introduced In
K31445234 Improper access control in the firmware for the Intel(R) Ethernet I210 Controller series of network
adapters before version 3.30 may potentially allow a privileged user to enable a denial of service via local
access.
H32380005 Linux kernel vulnerability CVE-2019-18282 Fixes Introduced In
K32380005 The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking
vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies
on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value
remains the same starting from boot time, and can be inferred by an attacker. This affects
net/core/flow_dissector.c and related code.
H32469285 Apache Tomcat vulnerability CVE-2021-33037 Fixes Introduced In
K32469285 Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP
transfer-encoding request header in some circumstances leading to the possibility to request smuggling
when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header
if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify
Thursday 29 February 2024 Page 15 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
H37283878 Intel I210 network adapter vulnerability CVE-2020-0522 Fixes Introduced In
K37283878 Improper initialization in the firmware for the Intel(R) Ethernet I210 Controller series of network adapters
before version 3.30 may allow a privileged user to potentially enable denial of service via local access.
H38271531 BIG-IP and BIG-IQ SCP vulnerability CVE-2022-26340 Fixes Introduced In
K38271531 An authenticated, high-privileged attacker with no bash access, may be able to access Cert/Key files 13.1.5
using scp from a remote system. 14.1.4.6
15.1.5.1
16.1.2.2
17.0.0
H38893457 BIG-IP DNS TMUI Vulnerability CVE-2022-33947 Fixes Introduced In
K38893457 A vulnerability exists in undisclosed pages of the BIG-IP DNS Traffic Management User Interface (TMUI) 14.1.5
that allows an authenticated attacker with at least operator role privileges to cause the Tomcat process 15.1.6.1
to restart and perform unauthorized DNS requests and operations through undisclosed requests.
16.1.3
17.0.0
H40523020 Linux kernel vulnerability CVE-2018-16658 Fixes Introduced In
K40523020 An issue was discovered in the Linux kernel before 4.18.6. An information leak in 16.0.0
cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel
memory because a cast from unsigned long to int interferes with bounds checking. This is similar to
CVE-2018-10940.
H40582331 Apache HTTP server vulnerability CVE-2022-28615 Fixes Introduced In
K40582331 Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds 15.1.9
in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with 16.1.4
the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match()
may hypothetically be affected.
17.1.1
H41043270 Intel processor vulnerabilities CVE-2021-0086 and CVE-2021-0089 Fixes Introduced In
K41043270 All versions of Virtual Edition (VE) for the BIG-IP and BIG-IQ products are potentially impacted if the
processors underlying the VE installations areaffected. Microcode updates from Intel are available to
address this issue but must be applied at the hardware level, which is outside the scope of the ability of
F5 to support or patch.This hardware issue impacts all the BIG-IP, BIG-IQ, VIPRION, and VELOS
platforms using the following Intel Xeon processor families:Ivy Bridge EPSandy Bridge EPIvy
BridgeSandy BridgeHanswell EBroadwellSkylake-DThe following BIG-IP, BIG-IQ, VIPRION, and VELOS
platforms are vulnerable:A112 VIPRION Blade 2250A114VIPRION Blade 4450A118 VELOS Blade
BX110C109 BIG-IP 5000s, 5200v, 5050s, 5250v, 5250v-FC115BIG-IP iSeries i4600, i4800C116 BIG-IP
iSeries i10600, i10600-D, i10800, i10800-DC117BIG-IP iSeries i850, i2600, i2800C118BIG-IP iSeries i7600,
i7600-D, i7800, i7800-DC119BIG-IP iSeries i5600, i5800C123BIG-IP iSeries i11600, i11800C124BIG-IP
iSeries i11400-DS,i11600-DS,i11800-DSC125BIG-IP iSeries i5820-DFC126BIG-IP iSeries i7820-DFD110
BIG-IP 7000s, 7200v, 7200s-SSL, 7200v-FIPS, 7050s, 7250v, 7055s, 7255sD110 BIG-IQ 7000D111 BIG-IP
12250vD112 BIG-IP 10350v, 10150s-N, 10350v-N, 10350v-FD113 BIG-IP 10000s, 10200v, 10200v-SSL,
10200v-FIPS, 10050s, 10250v, 10055s, 10255vD116 BIG-IP iSeries i15600, i15800E102 BIG-IP 11050
NEBSThe following BIG-IP and VIPRION platforms are not vulnerable:A107VIPRION Blade 4200A108
VIPRION Blade 4300A109VIPRION Blade 2100A110VIPRION Blade 4340A111VIPRION Blade
4200NA113VIPRION Blade 2150C102 BIG-IP 1600, 1600 LCC103 BIG-IP 3600C106BIG-IP 3900C112 BIG-IP
2000s, 2200sC113 BIG-IP 4000s, 4200vC114 BIG-IP 800D104 BIG-IP 6900, 6900s, 6900 FIPSD106 BIG-IP
8900, 8900 FIPSD107 BIG-IP 8950, 8950sE101 BIG-IP 11000, 11000 FIPSE102 BIG-IP 11050 FIPSE102 BIG-
IP 11050
H41877405 BIG-IP TMUI vulnerability CVE-2022-27659 Fixes Introduced In
K41877405 An authenticated attacker can modify/delete Dashboards created by other BIG-IP users in the Traffic 14.1.4.6
Management User Interface (TMUI). 15.1.5.1
Thursday 29 February 2024 Page 16 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
16.1.2.2
17.0.0
H42059040 Binutils vulnerability CVE-2019-9075 Fixes Introduced In
K42059040 An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU 15.1.9
Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c. 16.1.4
17.1.0
H42526507 BIG-IP TMUI vulnerability CVE-2021-23041 Fixes Introduced In
K42526507 An attacker may exploit this vulnerability by convincing an authenticated user to submit malicious HTML 13.1.4.1
or JavaScript code in the BIG-IP Configuration utility. If the exploit is successful, an attacker can run 14.1.4.2
JavaScript in the context of the currently logged-in user. In the case of an administrative user with
access to the Advanced Shell (bash), successful exploitation of this vulnerability can be leveraged to
15.1.3
completely compromise the BIG-IP system. 16.0.1.2
16.1.0
H42910051 OpenSSL vulnerability CVE-2020-1971 Fixes Introduced In
K42910051 The X.509 GeneralName type is a generic type for representing different types of names. One of those 14.1.4.4
name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which 15.1.4.1
compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves
incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a
16.1.2
crash may occur leading to a possible denial of service attack. OpenSSL itself uses the
GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between
an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a
timestamp response token signer matches the timestamp authority name (exposed via the API functions
TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being
compared then that attacker could trigger a crash. For example if the attacker can trick a client or server
into checking a malicious certificate against a malicious CRL then this may occur. Note that some
applications automatically download CRLs based on a URL embedded in a certificate. This checking
happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server,
s_client and verify tools have support for the "-crl_download" option which implements automatic CRL
downloading and this attack has been demonstrated to work against those tools. Note that an unrelated
bug means that affected versions of OpenSSL cannot parse or construct correct encodings of
EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's
parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this
issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i
(Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
H43357358 AMD processors vulnerability CVE-2022-23823 Fixes Introduced In
K43357358 A potential vulnerability in some AMD processors using frequency scaling may allow an authenticated
attacker to execute a timing attack to potentially enable information disclosure. (CVE-2022-23823 also
known as hertzbleed)
H44454157-2 Expat vulnerability CVE-2022-40674 Fixes Introduced In
K44454157 libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
This BIG-IP (ASM) system's control plane is vulnerable.
This heuristic does not check for any mitigation.
H445453 Updating the BIG-IP ASM attack signatures Fixes Introduced In
K8217 The ASM attack signature file may fail to automatically update, or if automatic updates are not enabled,
attempts to manually update the file may fail.
The service check date is 03/23/21, which is about 35 months old at the time this qkview was created. To download updated attack
signatures, the BIG-IP ASM system requires that the Service Check Date be no older than 18 months.
Thursday 29 February 2024 Page 17 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
H44994972 Linux kernel vulnerability CVE-2020-25704 Fixes Introduced In
K44994972 A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using
PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial
of service.
H46641512 FreeType vulnerability CVE-2015-9382 Fixes Introduced In
K46641512 FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because 11.6.5.3
ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation. 12.1.6
13.1.4
14.1.4.1
15.1.3
16.0.1.2
16.1.0
H47662005 BIG-IP Net HSM script vulnerability CVE-2022-28859 Fixes Introduced In
K47662005 When installing Net HSM, the scripts (nethsm-safenet-install.sh and nethsm-thales-install.sh) exposes 14.1.4.6
the Net HSM partition password. 15.1.5.1
16.1.0
File nethsm-safenet-install.sh is found
File nethsm-thales-install.sh is found
H48050136 OpenSSH client vulnerability CVE-2020-14145 Fixes Introduced In
K48050136 The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy leading to an information 15.1.9
leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection 16.1.4
attempts (where no host key for the server has been cached by the client).
17.1.0
H50310001 BIG-IP and BIG-IQ iControl SOAP vulnerability CVE-2022-34851 Fixes Introduced In
K50310001 An authenticated attacker may cause iControl SOAP to become unavailable through undisclosed 14.1.5.1
requests. 15.1.6.1
16.1.3.1
17.0.0.1
H51674118 Linux kernel vulnerability CVE-2019-11599 Fixes Introduced In
K51674118 The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other 13.1.4.1
mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to 14.1.4.3
obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by
triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c,
15.1.4
mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c. 16.0.1.2
16.1.0
H52379673 Linux kernel vulnerability for CVE-2021-4083 Fixes Introduced In
K52379673 A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain
socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a
race condition. This flaw allows a local user to crash the system or escalate their privileges on the
system. This flaw affects Linux kernel versions prior to 5.16-rc4.
H53197140 BIG-IP iControl REST and tmsh vulnerabilities CVE-2022-26835 Fixes Introduced In
K53197140 Directory traversal vulnerabilities exist in undisclosed iControl REST endpoints and TMOS shell (tmsh) 13.1.5
commands in BIG-IP Guided Configuration (GC) which may allow an authenticated attacker with at least 14.1.4.6
resource administrator role privileges to read arbitrary files.
15.1.5.1
16.1.2.2
17.0.0
Thursday 29 February 2024 Page 18 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
H53225395 Node.js vulnerabilities CVE-2021-3672 and CVE-2021-22931 Fixes Introduced In
K53225395 An attacker may be able to exploit the vulnerabilities to perform domain hijacking or injection attacks.
The highest threat from the vulnerabilities is to confidentiality and integrity, as well as system
availability.
H53252134 Intel BIOS vulnerability CVE-2021-0155 Fixes Introduced In
K53252134 Unchecked return value in the BIOS firmware for some Intel(R) Processors may allow a privileged user to
potentially enable information disclosure via local access.
H53593534 BIG-IP ASM and F5 Advanced WAF attack signature check failure on Fixes Introduced In
K53593534 The BIG-IP ASM and F5 Advanced Web Application Firewall (Advanced WAF) attack signature check may 13.1.5
fail to detect and block certain HTTP requests. 14.1.4.6
15.1.5.1
16.1.2.2
17.0.0
H54164678 Intel SPS vulnerability CVE-2019-11109 Fixes Introduced In
K54164678 Logic issue in the subsystem for Intel(R) SPS before versions SPS_E5_04.01.04.275.0, SPS_SoC-
X_04.00.04.100.0 and SPS_SoC-A_04.00.04.191.0 may allow a privileged user to potentially enable denial
of service via local access.
H55051330 Intel BIOS vulnerability CVE-2021-33123 Fixes Introduced In
K55051330 Improper access control in the BIOS authenticated code module for some Intel(R) Processors may allow
a privileged user to potentially enable escalation of privilege via local access.
H57110035 BIG-IP APM edge client for windows logging vulnerability CVE-2022- Fixes Introduced In
K57110035 BIG-IP Edge Client may log APM session related information when VPN is launched on a Windows 13.1.5
system. 14.1.4.6
15.1.5.1
16.1.2.2
17.0.0
H57542514 Python vulnerability CVE-2019-9636 Fixes Introduced In
K57542514 Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding 16.1.0
(with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials,
cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit,
urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate
cookies or authentication data and send that information to a different host than when parsed correctly.
H58003591 Apache HTTP server vulnerability CVE-2022-28614 Fixes Introduced In
K58003591 The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an 15.1.9
attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with 16.1.4
mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that
use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be
17.1.0
compiled against current headers to resolve the issue.
H59904248 iControl SOAP vulnerability CVE-2022-29474 Fixes Introduced In
K59904248 A directory traversal vulnerability exists in iControl SOAP that allows an authenticated attacker with at 13.1.5
least guest role privilege to read wsdl files in the BIG-IP file system. 14.1.4.6
15.1.5.1
16.1.2.2
17.0.0
Thursday 29 February 2024 Page 19 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
H603643 Linux kernel vulnerability CVE-2016-0723 Fixes Introduced In
K43650115 Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows
local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-
free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.
H61112120 BIG-IP Advanced ASM TMUI vulnerability CVE-2022-23031 Fixes Introduced In
K61112120 An XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web 14.1.4.4
Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also 15.1.4
referred to as the Configuration utility, that allows an authenticated high- privileged attacker to read local
files and force BIG-IP to send HTTP requests. An authenticated high-privilege user can trigger an XML
16.1.1
XXE vulnerability in the Advanced WAF and BIG-IP ASM Configuration utility to compromise the
confidentiality of the affected Advanced WAF and BIG-IP ASM devices.
H61643620 BIG-IP TMUI XSS vulnerability CVE-2021-23038 Fixes Introduced In
K61643620 A high privilege, authenticated attacker may exploit this vulnerability by storing an attack with malicious 13.1.4.1
HTML or JavaScript code in the BIG-IP Configuration utility. If the exploit is successful, an attacker can 14.1.4.2
run JavaScript in the context of the currently logged-in user. In the case of an administrative user with
access to the Advanced Shell (bash), successful exploitation of this vulnerability can be leveraged to
15.1.3.1
completely compromise the BIG-IP system. 16.0.1.2
16.1.0
H62532228 Linux kernel CVE-2020-10769 Fixes Introduced In
K62532228 A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in 17.0.0
crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer
than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read
threat, leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial
of service.
H63163637 BIG-IP TMUI vulnerability CVE-2021-23043 Fixes Introduced In
K63163637 An authenticated attacker may exploit this vulnerability by sending a crafted request to the BIG-IP
Configuration utility. If the exploit is successful, an attacker can access arbitrary files in the web root.
H64119434 GNU C Library vulnerability CVE-2009-5155 Fixes Introduced In
K64119434 In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses
alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or
trigger an incorrect result by attempting a regular-expression match.
H64829234 BIG-IP and BIG-IQ mcpd vulnerability CVE-2022-41694 Fixes Introduced In
K64829234 When an SSL key is imported on a BIG-IP or BIG-IQ system, undisclosed input can cause MCPD to 14.1.5
terminate. 15.1.6.1
16.1.3
17.0.0
H67090077 Apache HTTP Server vulnerability CVE-2022-22720 Fixes Introduced In
K67090077 Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered 15.1.9
discarding the request body, exposing the server to HTTP Request Smuggling. 16.1.4
17.1.1
H67472032 BIG-IP network failover vulnerability CVE-2020-5860 Fixes Introduced In
K67472032 In a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not
require a strong form of authentication and HA network failover traffic is not encrypted by Transport
Layer Security (TLS).
Thursday 29 February 2024 Page 20 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
H67830124 Linux kernel ext3/ext4 file system vulnerability CVE-2020-14314 Fixes Introduced In
K67830124 A memory out-of-bounds read flaw was found in the Linux kernel's ext3/ext4 file systemin the way it
accesses a directory with broken indexing. This flaw allows a local user to crash the system if the
directory exists. The highest threat from this vulnerability is to system availability.
H68251873 glibc vulnerability CVE-2019-25013 Fixes Introduced In
K68251873 The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi- 15.1.4.1
byte input sequences in the EUC-KR encoding, may have a buffer over-read.
H70652532 F5 Access Guided Configuration logging vulnerability CVE-2021-23046 Fixes Introduced In
K70652532 Users with access to restnoded logs may gain access to sensitive information from the security 16.1.0
properties of F5 Access Guided Configuration.
Running process: runsv restnoded
When a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure
properties are logged in restnoded logs.
This heuristic does not check the BIG-IP (Guided Configuration) version or user permissions. Please check your configuration.
Running process: /usr/bin/f5-rest-node /usr/share/rest/node/src/restnode.js -p 8105 --logLevel finest -i
/var/log/restnoded/restnoded.log -s none
When a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure
properties are logged in restnoded logs.
This heuristic does not check the BIG-IP (Guided Configuration) version or user permissions. Please check your configuration.
H72540690 BIG-IP high availability state mirroring vulnerability CVE-2020-5884 Fixes Introduced In
K72540690 The default deployment mode for BIG-IP high availability (HA) pair mirroring is insecure. This is a control 16.0.0
plane issue that is exposed only on the network used for mirroring.
H726514 There are not enough NTP servers either configured or reliably Fixes Introduced In
K3122 F5 recommends that you configure at least three external NTP servers. If fewer than three Network Time
K10240 Protocol (NTP) servers are reachable, the system will not be able to reliably detect incorrect time
sources.
The configured NTP server is: '172.24.0.78'
The BIG-IP system is not configured to use enough Network Time Protocol servers.
H75540265 BIG-IP APM ACL Bypass Vulnerability CVE-2021-23016 Fixes Introduced In
K75540265 This vulnerability may allow an attacker to retrieve static content hosted on the BIG-IP that they would 13.1.4
otherwise not be able to, allowing them to more effectively fingerprint a device. It does not allow any 14.1.4.1
modification of data nor the exposure of any sensitive information or PII in the standard, default or
recommended configurations.
15.1.3
H770025 F5 recommends removing orphaned configuration objects Fixes Introduced In
K15335 Over the course of a system's operation, various configuration objects may become orphaned as they
are created and then abandoned to accommodate changing business or application needs. While
orphaned configuration objects do not initially cause problems, if allowed to accumulate, you can
eventually encounter some of the following issues : performance degradation, increased memory and
CPU utilization, and hindered administration from unnecessarily large configurations that can result in
configuration conflicts such as IP address or object name conflicts.
Please confirm that unused objects are not being indirectly linked to other configuration objects via iRules/scripts before deleting
them from the system.
Please confirm that unused objects are not being indirectly linked to other configuration objects via data groups
Thursday 29 February 2024 Page 21 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
before deleting them from the system.
Unused nodes: /Common/172.21.0.50, /Common/10.29.0.32, /Common/172.24.0.122, /Common/172.24.0.121,
/Common/172.14.0.122, /Common/172.21.0.60, /Common/172.18.0.50.
H770025-1 F5 recommends removing orphaned configuration objects Fixes Introduced In
K15335 Over the course of a system's operation, various configuration objects may become orphaned as they
K14620 are created and then abandoned to accommodate changing business or application needs. While
orphaned configuration objects do not initially cause problems, if allowed to accumulate, you can
eventually encounter some of the following issues : performance degradation, increased memory and
CPU utilization, and hindered administration from unnecessarily large configurations that can result in
configuration conflicts such as IP address or object name conflicts.
The following SSL certificates are not currently in use by a virtual server: '/Common/cert_3dstest-2022', '/Common/default.crt',
'/Common/connect-external', '/Common/ca-bundle.crt', '/Common/digicert-sha2-ev-inter2023', '/Common/f5-irule.crt', and
'/Common/f5-ca-bundle.crt'
The certificates below are attached to profiles, but the profiles themselves are not used by any virtual servers. It is up to the
administrator to utilize or delete those profiles. It is not advisable to delete default certificates and profiles, and profiles that are
referenced by iRules. Carefully review the configuration before removing any objects.
Certificate /Common/default.crt is used by profiles /Common/clientssl, /Common/clientssl-insecure-compatible, /Common/wom-
default-clientssl, /Common/crypto-server-default-clientssl, /Common/clientssl-secure, /Common/splitsession-default-clientssl,
/Common/splitsession-default-serverssl, /Common/wom-default-serverssl
Certificate /Common/cert_3dstest-2022 is used by profile /Common/clientssl_3dstest
H77326807 BIND vulnerability CVE-2021-25219 Fixes Introduced In
K77326807 In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 13.1.5
9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the 14.1.5
BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response
processing can cause degradation in BIND resolver performance. The way the lame cache is currently
15.1.6
designed makes it possible for its internal data structures to grow almost infinitely, which may cause 16.1.3
significant delays in client query processing. 17.0.0
H78284681 Python tarfile library vulnerability CVE-2019-20907 Fixes Introduced In
K78284681 In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite 15.1.9
loop when opened by tarfile.open, because _proc_pax lacks header validation. 16.1.4
17.1.0
H80311892 InfoZIP vulnerability CVE-2019-13232 Fixes Introduced In
K80311892 Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service 13.1.4.1
(resource consumption), aka a "better zip bomb" issue. 14.1.4.3
16.0.1.2
16.1.0
H80945213 BIG-IP ASM/Advanced WAF attack signature check failure security Fixes Introduced In
K80945213 A BIG-IP ASM/F5 Advanced Web Application Firewall (Advanced WAF) attack signature check may fail to 13.1.5
detect and block certain GET requests when cross-site request forgery (CSRF) protection is enabled. 14.1.4.4
15.1.4.1
16.1.0
H82356391 Intel CPU vulnerability CVE-2020-0591 Fixes Introduced In
K82356391 Improper buffer restrictions in BIOS firmware for some Intel(R) Processors may allow a privileged user to
potentially enable escalation of privilege via local access.
Thursday 29 February 2024 Page 22 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
H830235 Cookie or universal persistence may fail for subsequent requests on Fixes Introduced In
K7964 The BIG-IP system may appear to ignore persistence information for subsequent requests on a Keep-
Alive HTTP connection when cookie or universal persistence is used.
These virtual servers have HTTP profiles and use cookie or universal persistence:
/Common/fda-preprod
/Common/fda-prod
H83102920 Linux kernel vulnerability CVE-2018-18397 Fixes Introduced In
K83102920 The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain 16.1.0
UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the
user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and
mm/userfaultfd.c.
H83284425 iControl REST and tmsh vulnerability CVE-2023-22326 Fixes Introduced In
K83284425 Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) dig 14.1.5.3
command which may allow an authenticated attacker with at least resource administrator role privileges 15.1.8.1
to view sensitive information
16.1.3.3
17.0.0.2
17.1.0
H83504933 Intel I210 network adapter vulnerability CVE-2020-0524 Fixes Introduced In
K83504933 Improper default permissions in the firmware for the Intel(R) Ethernet I210 Controller series of network
adapters before version 3.30 may allow an authenticated user to potentially enable denial of service via
local access.
H87351324 Intel BIOS vulnerability CVE-2021-33124 Fixes Introduced In
K87351324 Out-of-bounds write in the BIOS authenticated code module for some Intel(R) Processors may allow a
privileged user to potentially enable escalation of privilege via local access.
H90011301 libssh2 vulnerabilities CVE-2019-3856, CVE-2019-3857, and CVE-2019- Fixes Introduced In
K90011301 For CVE-2019-3856 and CVE-2019-3857, a remote attacker may be able to execute code on the client 16.1.0
system when a user connects to the server.For CVE-2019-3863, an attacker may be able to initiate a
response from the server in which the message length causes an out-of-bounds memory write.
H92807525 TMUI XSS Vulnerability CVE-2022-27878 Fixes Introduced In
K92807525 A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP 17.0.0
Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-
in user.
H93144355 Vim / Neovim vulnerability CVE-2019-12735 Fixes Introduced In
K93144355 getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS
commands via the :source! command in a modeline, as demonstrated by execute in Vim, and
assert_fails or nvim_input in Neovim.
H94142349 BIG-IP Advanced WAF and ASM WebSocket security exposure Fixes Introduced In
K94142349 BIG-IP Advanced WAF and ASM incorrectly handles certain WebSocket requests. This issue occurs 13.1.5
when BIG-IP Advanced WAF or ASM handles a malicious WebSocket message. 14.1.4.6
15.1.5.1
16.1.2.2
17.0.0
Thursday 29 February 2024 Page 23 of 27
GCGRF5DMZ1.cnb.caymannational.com
MEDIUM
H95503300 BIG-IP APM virtual server vulnerability CVE-2023-22418 Fixes Introduced In
K95503300 An open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This 14.1.5.3
vulnerability allows an unauthenticated malicious attacker to build an open redirect URI 15.1.7
16.1.3.3
17.0.0.2
17.1.0
LOW
H04160444 Intel CPU vulnerability CVE-2020-0592 Fixes Introduced In
K04160444 Out of bounds write in BIOS firmware for some Intel(R) Processors may allow an authenticated user to
potentially enable escalation of privilege and/or denial of service via local access.
H12252011 OpenSSH vulnerability CVE-2019-6109 Fixes Introduced In
K12252011 An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a
malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the
client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects
refresh_progress_meter() in progressmeter.c.
H15412203 Linux kernel vulnerability CVE-2017-1000365 Fixes Introduced In
K15412203 The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through
RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment
pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel
versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.
H23465404 BIG-IP LTM and APM NTLM vulnerability CVE-2022-33968 Fixes Introduced In
K23465404 When an LTM monitor or APM SSO is configured on a virtual server, and NTLM challenge-response is in 14.1.5.1
use, undisclosed traffic can cause a buffer over-read. 15.1.6.1
16.1.3.1
17.0.0.1
The following monitors with username/password set are found on the system:
/Common/fda-prod-web_http
/Common/fda-preprod-app_http
/Common/ActiveSync.app/ActiveSync_as_http_monitor
/Common/https_head_f5
/Common/fda-prod-app_http
/Common/fda-preprod-web_http
/Common/https_443
/Common/http_head_f5
If you did not change default monitor settings, please disregard the results below.
The qkview indicates that the following default monitors with username/password set are found on the system:
/Common/http
/Common/https
Default BIG-IP monitors should not be modified.
For security reasons, a qkview may contain username/password values that are different from the device.
Thursday 29 February 2024 Page 24 of 27
GCGRF5DMZ1.cnb.caymannational.com
LOW
H25126370 Apache HTTPD vulnerability CVE-2019-10098 Fixes Introduced In
K25126370 An attacker can abuse this vulnerability in a phishing attack or as part of a client-side attack on 14.1.4.5
browsers. 15.1.5.1
16.1.2.2
H33548065 Eclipse Jetty vulnerability CVE-2018-12536 Fixes Introduced In
K33548065 In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an 15.1.9
intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled 16.1.4
by the DefaultServlet's static file serving, the bad characters can trigger a
java.nio.file.InvalidPathException which includes the full path to the base resource directory that the
17.1.1
DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error
Handler, the InvalidPathException message is included in the error response, revealing the full server
path to the requesting system.
H380932 Optional modules or features may be configurable but will not Fixes Introduced In
K16538 Modules or features that are listed as optional modules in the BIG-IP license may be configurable;
however, functionality for these modules or features is not active unless the license includes support for
the module.
The following Optional Modules may be configurable but are unlicensed:
Advanced Protocols
External Interface and Network HSM
Routing Bundle
SSL, Forward Proxy, 2XXX/i2XXX
H38481791 glibc vulnerability CVE-2020-10029 Fixes Introduced In
K38481791 The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range 14.1.4.3
reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when 15.1.4
passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-
96/e_rem_pio2l.c.
16.0.1.2
16.1.0
H391596 BIG-IP LTM may send requests to unexpected pools for subsequent Fixes Introduced In
K9800 BIG-IP LTM may send requests to unexpected pools for subsequent requests on a Keep-Alive HTTP
K13753 connection because BIG-IP LTM makes a load-balancing decision for only the first request. This
behavior may occur when using either an iRule or an HTTP Class profile that load balances HTTP
requests to multiple pools.
The following virtual servers do not have a OneConnect profile and may send traffic to unexpected pools:
'/Common/fda-preprod' using irule '/Common/fda-preprod-pool-select_iRule'
'/Common/fda-prod' using irule '/Common/fda-prod-pool-select_iRule'
H42202505 Linux kernel vulnerability CVE-2018-1120 Fixes Introduced In
K42202505 A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a 13.1.4.1
process's memory containing command line arguments (or environment strings), an attacker can 14.1.4.3
cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to
the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or
15.1.4
for some controlled time (as a synchronization primitive for other attacks). 16.0.1.2
16.1.0
H42531048 OpenSSH vulnerability CVE-2019-6110 Fixes Introduced In
K42531048 In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious
server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control
codes to hide additional files being transferred.
Thursday 29 February 2024 Page 25 of 27
GCGRF5DMZ1.cnb.caymannational.com
LOW
H431773 Newer iApp templates available Fixes Introduced In
K13422 There are newer versions of F5 supported and F5 contributed iApp templates available. F5 recommends
that the latest released version be used. Pre-release (release candidate) versions are noted but should
only be used for testing.
/Common/ActiveSync.app/ActiveSync is using iApp template f5.microsoft_exchange_2016.v1.0.2.
The latest iApp pre-release template is 'f5.microsoft_exchange_2016.v1.0.3rc4'.
H44305703 NTP vulnerability CVE-2020-11868 Fixes Introduced In
K44305703 The ntpd daemon in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block
unauthenticated synchronization via a server mode packet with a spoofed source IP address, because
transmissions are rescheduled even when a packet lacks a valid origin timestamp.
H444724 The management interface is allowing access from public IP Fixes Introduced In
K7312 The management interface is ether configured to use a public IP address or is allowing public address to
K13309 access the Configuration Utility.
All IP addresses are allowed to access the Configuration Utility.
H44482551 Intel I210 network adapter vulnerability CVE-2020-0525 Fixes Introduced In
K44482551 Improper access control in firmware for the Intel(R) Ethernet I210 Controller series of network adapters
before version 3.30 may allow a privileged user to potentially enable denial of service via local access.
H49905324 BIG-IP TMUI CSRF vulnerability CVE-2022-1389 Fixes Introduced In
K49905324 A cross-site request forgery (CSRF) vulnerability exists in an undisclosed page of the BIG-IP 17.0.0
Configuration utility. The vulnerability allows an attacker to run a limited set of commands: ping,
traceroute, and WOM diagnostics.
H56551263 tcpdump vulnerability CVE-2018-14880 Fixes Introduced In
K56551263 The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in print-ospf6.c:ospf6_print_lshdr().
H701182 Non-ASCII characters removed from Qkview XML files Fixes Introduced In
Certain Non-ASCII characters cause parsing issues and prevent a ‘qkview’ file from being
processed by iHealth. These characters are removed at upload time so that the ‘qkview’
file can be viewed in iHealth. This is strictly an issue in the ‘qkview’ file, not the system
the ‘qkview’ file was generated from.
Non-ASCII characters were removed from the following XML files:
mcp_module.xml: 1,002 characters removed
asm_module.xml: 6 characters removed
H84583382 VMware Tools vulnerability CVE-2015-5191 Fixes Introduced In
K84583382 VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of 14.1.5
hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege 15.1.5
escalation.
16.0.0
H85742355 Java SE vulnerability CVE-2020-14577 Fixes Introduced In
K85742355 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE).
Supported versions affected are Java SE: 7u261, 8u251, 11.0.7, and 14.0.1; Java SE Embedded: 8u251.
This difficult-to-exploit vulnerability allows unauthenticated attackerswith network access using TLS to
compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in
unauthorized read access to a subset of Java SE, Java SE Embedded-accessible data. Note: This applies
to client and
Thursday 29 February 2024 Page 26 of 27
GCGRF5DMZ1.cnb.caymannational.com
LOW
server deployment of Java. Attackers can exploit this vulnerability through sandboxed Java Web Start
applications and sandboxed Java applets. Attackers can also exploit this vulnerabilityby supplying data
to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed
Java applets, such as through a web service. CVE-2020-14577
Thursday 29 February 2024 Page 27 of 27
You might also like
- C# 12 and .NET 8 Modern Cross-Platform Development Fundamentals 8th Edition Mark J. Price instant download50% (2)C# 12 and .NET 8 Modern Cross-Platform Development Fundamentals 8th Edition Mark J. Price instant download83 pages
- Fortinet FCP - FortiGate 7.4 Administrator Exam PreparationFrom EverandFortinet FCP - FortiGate 7.4 Administrator Exam PreparationNo ratings yet
- FortiSwitchOS-7.2.0-FortiLink Guide-FortiSwitch Devices Managed by FortiOS 7.2No ratings yetFortiSwitchOS-7.2.0-FortiLink Guide-FortiSwitch Devices Managed by FortiOS 7.2240 pages
- BIG-IP Configuration Utility Unauthenticated Remote Code Execution Vulnerability CVE-2023-46747No ratings yetBIG-IP Configuration Utility Unauthenticated Remote Code Execution Vulnerability CVE-2023-4674712 pages
- Overview of F5 Vulnerabilities (October 26, 2023)No ratings yetOverview of F5 Vulnerabilities (October 26, 2023)5 pages
- Overview of F5 Vulnerabilities (August 2023)No ratings yetOverview of F5 Vulnerabilities (August 2023)2 pages
- TI Advisory - F5 - Multiple CVEs - 2024-10-18 - 80603No ratings yetTI Advisory - F5 - Multiple CVEs - 2024-10-18 - 806033 pages
- Security Bulletin - Cipher - Week 51 - 2020en-2No ratings yetSecurity Bulletin - Cipher - Week 51 - 2020en-249 pages
- Synacktiv Danfoss Storeview Multiple VulnerabilitiesNo ratings yetSynacktiv Danfoss Storeview Multiple Vulnerabilities6 pages
- Misfortune Cookie Tr069 Protection WhitepaperNo ratings yetMisfortune Cookie Tr069 Protection Whitepaper4 pages
- BIG-IP Application Security Manager (ASM) : F5 Partner Technical Boot Camp100% (1)BIG-IP Application Security Manager (ASM) : F5 Partner Technical Boot Camp51 pages
- National Critical Information Infrastructure Protection CentreNo ratings yetNational Critical Information Infrastructure Protection Centre4 pages
- ABB SoftwareVulnerabilityHandlingAdvisory ABB VU PPMV 1MRS757865No ratings yetABB SoftwareVulnerabilityHandlingAdvisory ABB VU PPMV 1MRS7578654 pages
- CVE-2020-5902 - This Vulnerability Allows For Unauthenticated Attackers, or Authenticated Users, WithNo ratings yetCVE-2020-5902 - This Vulnerability Allows For Unauthenticated Attackers, or Authenticated Users, With2 pages
- Network_Scanner-109.74.196.90-20250228-0622No ratings yetNetwork_Scanner-109.74.196.90-20250228-06224 pages
- VLab Demo - Using ASM For Web Vulnerabilities - V12.0.0.01No ratings yetVLab Demo - Using ASM For Web Vulnerabilities - V12.0.0.0121 pages
- Scan Eproc and APPS With Whitelist Non IPSNo ratings yetScan Eproc and APPS With Whitelist Non IPS49 pages
- Pentest Eproc and Apps Whitelist Non IPS WAFNo ratings yetPentest Eproc and Apps Whitelist Non IPS WAF52 pages
- BIG-IP Application Security Manager v11.2 Customer PresentationNo ratings yetBIG-IP Application Security Manager v11.2 Customer Presentation125 pages
- Fortinet FCP - FortiGate 7.6 Administrator Exam PreparationFrom EverandFortinet FCP - FortiGate 7.6 Administrator Exam PreparationNo ratings yet
- Set Up Your Own IPsec VPN, OpenVPN and WireGuard Server: Build Your Own VPNFrom EverandSet Up Your Own IPsec VPN, OpenVPN and WireGuard Server: Build Your Own VPN5/5 (1)
- Deploying and Managing a Cloud Infrastructure: Real-World Skills for the CompTIA Cloud+ Certification and Beyond: Exam CV0-001From EverandDeploying and Managing a Cloud Infrastructure: Real-World Skills for the CompTIA Cloud+ Certification and Beyond: Exam CV0-001No ratings yet
- Securing Application Deployment with Obfuscation and Code Signing: How to Create 3 Layers of Protection for .NET Release BuildFrom EverandSecuring Application Deployment with Obfuscation and Code Signing: How to Create 3 Layers of Protection for .NET Release BuildNo ratings yet
- The Order of Precedence For Local Traffic Object ListenersNo ratings yetThe Order of Precedence For Local Traffic Object Listeners4 pages
- Certificate of Accreditation: Abdulrahman ChaarNo ratings yetCertificate of Accreditation: Abdulrahman Chaar1 page
- NE2+Series+Serial+Servers+User+Manual_EN+v1.0 (1)No ratings yetNE2+Series+Serial+Servers+User+Manual_EN+v1.0 (1)48 pages
- Software Requirements Specification: Language Translation ApplicationNo ratings yetSoftware Requirements Specification: Language Translation Application20 pages
- Your 10-Day Roadmap to Learn Google Cloud Platform (GCP) – Zero to Hero!No ratings yetYour 10-Day Roadmap to Learn Google Cloud Platform (GCP) – Zero to Hero!3 pages
- The Web Application Hacker s Handbook Discovering and Exploiting Security Flaws 1st Edition Dafydd Stuttard download100% (1)The Web Application Hacker s Handbook Discovering and Exploiting Security Flaws 1st Edition Dafydd Stuttard download66 pages
- TP2 - Web installation and configurationNo ratings yetTP2 - Web installation and configuration12 pages
- ACE Module 2 Planning and Configuring Cloud Solutions v2.0No ratings yetACE Module 2 Planning and Configuring Cloud Solutions v2.053 pages
- Full ASP - NET Core in Action - MEAP Version 5 2nd Edition Andrew Lock Ebook All Chapters100% (2)Full ASP - NET Core in Action - MEAP Version 5 2nd Edition Andrew Lock Ebook All Chapters62 pages
- Node Web Development 2nd New edition Edition Herron instant download100% (2)Node Web Development 2nd New edition Edition Herron instant download56 pages
- IBM PY0101EN - Python Basics For Data Science100% (2)IBM PY0101EN - Python Basics For Data Science590 pages
- Web Application-class-XI-Unit1-Basics of NetworkingNo ratings yetWeb Application-class-XI-Unit1-Basics of Networking46 pages
- WSTE 01072009 BreakdownHTTPRequestHeaders BorettiNo ratings yetWSTE 01072009 BreakdownHTTPRequestHeaders Boretti19 pages
- Step by Step Process of Integrating SAP Solution Manager To External SystemsNo ratings yetStep by Step Process of Integrating SAP Solution Manager To External Systems15 pages
- BECOMING INFORMATION USERS-SSCC (Autosaved)No ratings yetBECOMING INFORMATION USERS-SSCC (Autosaved)16 pages
