F5 Big-Ip Asm vulnerabilities

CVE-2021-23045 [HIGH] CWE-20 CVE-2021-23045: On BIG-IP version 16 CVE-2021-23045: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when an SCTP profile with multiple paths is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2021-23035 [HIGH] CWE-20 CVE-2021-23035: On BIG-IP 14 CVE-2021-23035: On BIG-IP 14 On BIG-IP 14.1.x before 14.1.4.4, when an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FP

CVE-2021-23042 [HIGH] CWE-400 CVE-2021-23042: On BIG-IP version 16 CVE-2021-23042: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, and 12.1.x before 12.1.6, when an HTTP profile is configured on a virtual server, undisclosed requests can cause a significant increase in system resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-I

CVE-2021-23025 [HIGH] CWE-78 CVE-2021-23025: On version 15 CVE-2021-23025: On version 15 On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Advanced WAF, BIG-I

CVE-2021-23029 [HIGH] CWE-918 CVE-2021-23029: On version 16 CVE-2021-23029: On version 16 On version 16.0.x before 16.0.1.2, insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP ASM, BIG-IP Advanced WA

CVE-2021-23034 [HIGH] CWE-20 CVE-2021-23034: On BIG-IP version 16 CVE-2021-23034: On BIG-IP version 16 On BIG-IP version 16.x before 16.1.0 and 15.1.x before 15.1.3.1, when a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP

CVE-2021-23049 [HIGH] CWE-400 CVE-2021-23049: On BIG-IP version 16 CVE-2021-23049: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3, when the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS). Note: Software versions which have reached End of Technical Support (EoTS) are not

CVE-2021-23051 [HIGH] CWE-20 CVE-2021-23051: On BIG-IP versions 15 CVE-2021-23051: On BIG-IP versions 15 On BIG-IP versions 15.1.0.4 through 15.1.3, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP on Amazon Web Services (AWS) systems, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This is due to an incomplete fix for CVE-2020-5862. Note: Software versions which have reached End of Technical Support (EoTS)

CVE-2021-23026 [HIGH] CWE-352 CVE-2021-23026: BIG-IP version 16 CVE-2021-23026: BIG-IP version 16 BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP AAM,

CVE-2021-23036 [HIGH] CWE-20 CVE-2021-23036: On version 16 CVE-2021-23036: On version 16 On version 16.0.x before 16.0.1.2, when a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP ASM, BIG-IP Advanced WAF, Big-Ip Datasafe Affected Versions: 16.0.0 - 16.0.1 F5 Advisory Arti

CVE-2021-23044 [HIGH] CWE-20 CVE-2021-23044: On BIG-IP version 16 CVE-2021-23044: On BIG-IP version 16 On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x, when the Intel QuickAssist Technology (QAT) compression driver is used on affected BIG-IP hardware and BIG-IP Virtual Edition (VE) platforms, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versi

CVE-2021-23028 [HIGH] CWE-20 CVE-2021-23028: On version 16 CVE-2021-23028: On version 16 On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, and 13.1.x before 13.1.4, when JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate. Note: Software versions which have reached End of Technical Su

CVE-2021-23033 [HIGH] CWE-20 CVE-2021-23033: On BIG-IP Advanced WAF and BIG-IP ASM version 16 CVE-2021-23033: On BIG-IP Advanced WAF and BIG-IP ASM version 16 On BIG-IP Advanced WAF and BIG-IP ASM version 16.x before 16.1.0x, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. Note: Software versions which have reached End of Technical Suppo

CVE-2021-23027 [MEDIUM] CWE-79 CVE-2021-23027: On version 16 CVE-2021-23027: On version 16 On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Prod

CVE-2021-23043 [MEDIUM] CWE-22 CVE-2021-23043: On BIG-IP, on all versions of 16 CVE-2021-23043: On BIG-IP, on all versions of 16 On BIG-IP, on all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to access arbitrary files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP AAM, B

CVE-2021-23053 [MEDIUM] CWE-400 CVE-2021-23053: On version 15 CVE-2021-23053: On version 15 On version 15.1.x before 15.1.3, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6, when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. Note: Software versions which have reached End

CVE-2021-23041 [MEDIUM] CWE-79 CVE-2021-23041: On BIG-IP version 16 CVE-2021-23041: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user. Note: Software versions which have reached

CVE-2021-23011 [HIGH] CWE-400 CVE-2021-23011: On versions 16 CVE-2021-23011: On versions 16 On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, when the BIG-IP system is buffering packet fragments for reassembly, the Traffic Management Microkernel (TMM) may consume an excessive amount of resources, eventually leading to a restart and failover event. Note: Software versions which have reached End

CVE-2021-23014 [HIGH] CWE-862 CVE-2021-23014: On versions 16 CVE-2021-23014: On versions 16 On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API which might allow Authenticated users with guest privileges to upload files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP ASM

CVE-2021-23009 [HIGH] CWE-835 CVE-2021-23009: On BIG-IP version 16 CVE-2021-23009: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic. TMM takes the configured HA action when the TMM process is aborted. There is no control plane exposure, this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are no