| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-27634 |
20 |
|
Exec Code |
2022-05-05 |
2022-05-13 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
On 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, BIG-IP APM does not properly validate configurations, allowing an authenticated attacker with high privileges to manipulate the APM policy leading to privilege escalation/remote code execution. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
|
2 |
CVE-2022-23032 |
346 |
|
|
2022-01-25 |
2022-02-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In all versions before 7.2.1.4, when proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a DNS rebinding attack. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
3 |
CVE-2022-23030 |
400 |
|
|
2022-01-25 |
2022-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when the BIG-IP Virtual Edition (VE) uses the ixlv driver (which is used in SR-IOV mode and requires Intel X710/XL710/XXV710 family of network adapters on the Hypervisor) and TCP Segmentation Offload configuration is enabled, undisclosed requests may cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
4 |
CVE-2022-23029 |
367 |
|
|
2022-01-25 |
2022-02-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
5 |
CVE-2022-23027 |
697 |
|
|
2022-01-25 |
2022-02-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP versions 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2, when a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are configured on the same virtual server, undisclosed requests can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
6 |
CVE-2022-23025 |
476 |
|
|
2022-01-25 |
2022-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, when a SIP ALG profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
7 |
CVE-2022-23023 |
400 |
|
|
2022-01-25 |
2022-02-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
On BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ all versions of 8.x and 7.x, undisclosed requests by an authenticated iControl REST user can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
8 |
CVE-2022-23022 |
476 |
|
|
2022-01-25 |
2022-02-01 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On BIG-IP version 16.1.x before 16.1.2, when an HTTP profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
9 |
CVE-2022-23021 |
476 |
|
|
2022-01-25 |
2022-02-01 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On BIG-IP version 16.1.x before 16.1.2, when any of the following configurations are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate: HTTP redirect rule in an LTM policy, BIG-IP APM Access Profile, and Explicit HTTP Proxy in HTTP Profile. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
10 |
CVE-2022-23020 |
476 |
|
|
2022-01-25 |
2022-02-01 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On BIG-IP version 16.1.x before 16.1.2, when the 'Respond on Error' setting is enabled on the Request Logging profile and configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
11 |
CVE-2022-23019 |
20 |
|
|
2022-01-25 |
2022-02-01 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On BIG-IP version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x and 12.1.x, when a message routing type virtual server is configured with both Diameter Session and Router Profiles, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
12 |
CVE-2022-23017 |
476 |
|
|
2022-01-25 |
2022-02-01 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when a virtual server is configured with a DNS profile with the Rapid Response Mode setting enabled and is configured on a BIG-IP system, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
13 |
CVE-2022-23016 |
476 |
|
|
2022-01-25 |
2022-02-01 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP SSL Forward Proxy with TLS 1.3 is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
14 |
CVE-2022-23015 |
400 |
|
|
2022-01-25 |
2022-02-01 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, and 14.1.2.6-14.1.4.4, when a Client SSL profile is configured on a virtual server with Client Certificate Authentication set to request/require and Session Ticket enabled and configured, processing SSL traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
15 |
CVE-2022-23014 |
20 |
|
|
2022-01-25 |
2022-02-01 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
|
On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP APM portal access is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
16 |
CVE-2022-23012 |
415 |
|
|
2022-01-25 |
2022-02-01 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On BIG-IP versions 15.1.x before 15.1.4.1 and 14.1.x before 14.1.4.5, when the HTTP/2 profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
17 |
CVE-2022-23010 |
404 |
|
|
2022-01-25 |
2022-02-01 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile and an HTTP profile are configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
18 |
CVE-2022-1388 |
306 |
|
Bypass |
2022-05-05 |
2022-05-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
|
19 |
CVE-2021-23054 |
79 |
|
XSS |
2021-09-27 |
2021-10-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
On version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
20 |
CVE-2021-23052 |
601 |
|
|
2021-09-14 |
2021-09-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
On version 14.1.x before 14.1.4.4 and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious user to build an open redirect URI. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
21 |
CVE-2021-23051 |
|
|
|
2021-09-14 |
2021-09-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP versions 15.1.0.4 through 15.1.3, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP on Amazon Web Services (AWS) systems, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This is due to an incomplete fix for CVE-2020-5862. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
22 |
CVE-2021-23049 |
400 |
|
|
2021-09-14 |
2021-09-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3, when the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
23 |
CVE-2021-23048 |
|
|
|
2021-09-14 |
2021-09-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x, when GPRS Tunneling Protocol (GTP) iRules commands or a GTP profile is configured on a virtual server, undisclosed GTP messages can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
24 |
CVE-2021-23047 |
400 |
|
|
2021-09-14 |
2021-09-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On version 16.x before 16.1.0, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, and all versions of 13.1.x, 12.1.x and 11.6.x, when BIG-IP APM performs Online Certificate Status Protocol (OCSP) verification of a certificate that contains Authority Information Access (AIA), undisclosed requests may cause an increase in memory use. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
25 |
CVE-2021-23046 |
532 |
|
|
2021-09-14 |
2021-09-24 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
On all versions of Guided Configuration before 8.0.0, when a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
26 |
CVE-2021-23045 |
|
|
|
2021-09-14 |
2021-09-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when an SCTP profile with multiple paths is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
27 |
CVE-2021-23044 |
|
|
|
2021-09-14 |
2021-09-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x, when the Intel QuickAssist Technology (QAT) compression driver is used on affected BIG-IP hardware and BIG-IP Virtual Edition (VE) platforms, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
28 |
CVE-2021-23043 |
22 |
|
Dir. Trav. |
2021-09-14 |
2021-09-24 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
On BIG-IP, on all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to access arbitrary files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
29 |
CVE-2021-23042 |
400 |
|
|
2021-09-14 |
2021-09-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, and 12.1.x before 12.1.6, when an HTTP profile is configured on a virtual server, undisclosed requests can cause a significant increase in system resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
30 |
CVE-2021-23041 |
79 |
|
XSS |
2021-09-14 |
2021-09-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
31 |
CVE-2021-23039 |
|
|
|
2021-09-14 |
2021-09-27 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.2.8, and all versions of 13.1.x and 12.1.x, when IPSec is configured on a BIG-IP system, undisclosed requests from an authorized remote (IPSec) peer, which already has a negotiated Security Association, can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
32 |
CVE-2021-23038 |
79 |
|
XSS |
2021-09-14 |
2021-09-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
33 |
CVE-2021-23037 |
79 |
|
XSS |
2021-09-14 |
2021-09-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
On all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
34 |
CVE-2021-23035 |
|
|
|
2021-09-14 |
2021-09-27 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On BIG-IP 14.1.x before 14.1.4.4, when an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
35 |
CVE-2021-23034 |
668 |
|
|
2021-09-14 |
2021-09-27 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
On BIG-IP version 16.x before 16.1.0 and 15.1.x before 15.1.3.1, when a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
36 |
CVE-2021-23027 |
79 |
|
XSS |
2021-09-14 |
2021-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
37 |
CVE-2021-23026 |
352 |
|
CSRF |
2021-09-14 |
2021-09-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
38 |
CVE-2021-23025 |
78 |
|
Exec Code |
2021-09-14 |
2021-11-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
39 |
CVE-2021-23023 |
427 |
|
|
2021-06-10 |
2021-06-22 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, a DLL hijacking issue exists in cachecleaner.dll included in the BIG-IP Edge Client Windows Installer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
40 |
CVE-2021-23022 |
732 |
|
|
2021-06-10 |
2021-06-23 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, the BIG-IP Edge Client Windows Installer Service's temporary folder has weak file and folder permissions. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
41 |
CVE-2021-23016 |
|
|
Bypass |
2021-05-10 |
2021-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
On BIG-IP APM versions 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, and all versions of 16.0.x, 12.1.x, and 11.6.x, an attacker may be able to bypass APM's internal restrictions and retrieve static content that is hosted within APM by sending specifically crafted requests to an APM Virtual Server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
42 |
CVE-2021-23015 |
863 |
|
Bypass |
2021-05-10 |
2021-05-24 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
43 |
CVE-2021-23013 |
94 |
|
|
2021-05-10 |
2021-05-24 |
5.4 |
None |
Remote |
High |
Not required |
None |
None |
Complete |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, the Traffic Management Microkernel (TMM) may stop responding when processing Stream Control Transmission Protocol (SCTP) traffic under certain conditions. This vulnerability affects TMM by way of a virtual server configured with an SCTP profile. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
44 |
CVE-2021-23012 |
77 |
|
Exec Code |
2021-05-10 |
2021-05-24 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
45 |
CVE-2021-23011 |
400 |
|
|
2021-05-10 |
2021-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, when the BIG-IP system is buffering packet fragments for reassembly, the Traffic Management Microkernel (TMM) may consume an excessive amount of resources, eventually leading to a restart and failover event. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
46 |
CVE-2021-23009 |
835 |
|
DoS |
2021-05-10 |
2021-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic. TMM takes the configured HA action when the TMM process is aborted. There is no control plane exposure, this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
47 |
CVE-2021-23008 |
287 |
|
Bypass |
2021-05-10 |
2021-05-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
48 |
CVE-2021-23004 |
|
|
|
2021-03-31 |
2021-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, Multipath TCP (MPTCP) forwarding flows may be created on standard virtual servers without MPTCP enabled in the applied TCP profile. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
49 |
CVE-2021-23003 |
|
|
|
2021-03-31 |
2021-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, the Traffic Management Microkernel (TMM) process may produce a core file when undisclosed MPTCP traffic passes through a standard virtual server. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
50 |
CVE-2021-23002 |
|
|
|
2021-03-31 |
2021-04-05 |
2.7 |
None |
Local Network |
Low |
??? |
Partial |
None |
None |
|
When using BIG-IP APM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, or all 12.1.x and 11.6.x versions or Edge Client versions 7.2.1.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, or 7.1.8.x before 7.1.8.5, the session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. Addressing this issue requires both the client and server fixes. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
