F5 Big-Ip Asm vulnerabilities

CVE-2021-22978 [HIGH] CWE-79 CVE-2021-22978: On BIG-IP version 16 CVE-2021-22978: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role. Note: Software versions which have reached End of Software Development (EoSD) a

CVE-2021-22973 [HIGH] CWE-787 CVE-2021-22973: On BIG-IP version 16 CVE-2021-22973: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x versions, JSON parser function does not protect against out-of-bounds memory accesses or writes. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP

CVE-2021-22985 [HIGH] CWE-400 CVE-2021-22985: On BIG-IP APM version 16 CVE-2021-22985: On BIG-IP APM version 16 On BIG-IP APM version 16.0.x before 16.0.1.1, under certain conditions, when processing VPN traffic with APM, TMM consumes excessive memory. A malicious, authenticated VPN user may abuse this to perform a DoS attack against the APM. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. Affected Products: BIG-IP APM, BIG-IP ASM Affected Versi

CVE-2021-22976 [HIGH] CVE-2021-22976: On BIG-IP Advanced WAF and ASM version 16 CVE-2021-22976: On BIG-IP Advanced WAF and ASM version 16 On BIG-IP Advanced WAF and ASM version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and all 12.1.x versions, when the BIG-IP ASM system processes WebSocket requests with JSON payloads, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process. Note: Software versions whi

CVE-2021-22977 [HIGH] CVE-2021-22977: On BIG-IP version 16 CVE-2021-22977: On BIG-IP version 16 On BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to restart and generate a core file. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Advanced WAF, BIG-IP Analytics, BIG-IP DHD, BIG-IP DNS, B

CVE-2021-22974 [HIGH] CWE-362 CVE-2021-22974: On BIG-IP version 16 CVE-2021-22974: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of BIG-IQ 7.x and 6.x, an authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level. This vulnerability is due to an incomplete fix for CVE-201

CVE-2021-22975 [HIGH] CVE-2021-22975: On BIG-IP version 16 CVE-2021-22975: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, and 14.1.x before 14.1.3.1, under some circumstances, Traffic Management Microkernel (TMM) may restart on the BIG-IP system while passing large bursts of traffic. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Ad

CVE-2021-22979 [MEDIUM] CWE-79 CVE-2021-22979: On BIG-IP version 16 CVE-2021-22979: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned and allows an attacker to execute JavaScript in the context of the current logged-in user. Note

CVE-2021-22984 [MEDIUM] CWE-601 CVE-2021-22984: On BIG-IP Advanced WAF and ASM version 15 CVE-2021-22984: On BIG-IP Advanced WAF and ASM version 15 On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x before 15.0.1.4, 14.1.x before 14.1.2.5, 13.1.x before 13.1.3.4, 12.1.x before 12.1.5.2, and 11.6.x before 11.6.5.2, when receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proac

CVE-2021-22981 [MEDIUM] CVE-2021-22981: On all versions of BIG-IP 12 CVE-2021-22981: On all versions of BIG-IP 12 On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret (EMS) extension defined in RFC 7627. TLS connections that do not use EMS are vulnerable to man-in-the-middle attacks during renegotiation. Note: Software versions which have reached End of Software Development (Eo

CVE-2020-27728 [HIGH] CVE-2020-27728: On BIG-IP ASM & Advanced WAF versions 16 CVE-2020-27728: On BIG-IP ASM & Advanced WAF versions 16 On BIG-IP ASM & Advanced WAF versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.3, under certain conditions, Analytics, Visibility, and Reporting daemon (AVRD) may generate a core file and restart on the BIG-IP system when processing requests sent from mobile devices. Affected Products: BIG-IP ASM, BIG-IP Advanced WAF Affected Versions: 14.1.0 - 14.1.3

CVE-2020-27715 [HIGH] CVE-2020-27715: On BIG-IP 15 CVE-2020-27715: On BIG-IP 15 On BIG-IP 15.1.0-15.1.0.5 and 14.1.0-14.1.3, crafted TLS request to the BIG-IP management interface via port 443 can cause high (~100%) CPU utilization by the httpd daemon. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM Affected Versions: 14.1.0 - 14.1.3.1; 15.0.0 - 15.1.1 F5 Advisory Articles: K

CVE-2020-27718 [HIGH] CVE-2020-27718: When a BIG-IP ASM or Advanced WAF system running version 16 CVE-2020-27718: When a BIG-IP ASM or Advanced WAF system running version 16 When a BIG-IP ASM or Advanced WAF system running version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, or 11.6.1-11.6.5.2 processes requests with JSON payload, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process. Affected Products: BIG-IP A

CVE-2020-27719 [MEDIUM] CWE-79 CVE-2020-27719: On BIG-IP 16 CVE-2020-27719: On BIG-IP 16 On BIG-IP 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.3, a cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Advanced WAF, BIG-IP Analytics, BIG-IP DHD, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, Ssl Orchestrator Affected Versions

CVE-2020-27727 [MEDIUM] CWE-20 CVE-2020-27727: On BIG-IP version 16 CVE-2020-27727: On BIG-IP version 16 On BIG-IP version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, when an authenticated administrative user installs RPMs using the iAppsLX REST installer, the BIG-IP system does not sufficiently validate user input, allowing the user read access to the filesystem. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP F

CVE-2020-5948 [CRITICAL] CWE-79 CVE-2020-5948: On BIG-IP versions 16 CVE-2020-5948: On BIG-IP versions 16 On BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics,

CVE-2020-5949 [HIGH] CVE-2020-5949: On BIG-IP versions 14 CVE-2020-5949: On BIG-IP versions 14 On BIG-IP versions 14.0.0-14.0.1 and 13.1.0-13.1.3.4, certain traffic pattern sent to a virtual server configured with an FTP profile can cause the FTP channel to break. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Advanced WAF, BIG-IP Analytics, BIG-IP DHD, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP SSLO Affected Versions:

CVE-2020-5947 [MEDIUM] CVE-2020-5947: In versions 16 CVE-2020-5947: In versions 16 In versions 16.0.0-16.0.0.1 and 15.1.0-15.1.1, on specific BIG-IP platforms, attackers may be able to obtain TCP sequence numbers from the BIG-IP system that can be reused in future connections with the same source and destination port and IP numbers. Only these platforms are affected: BIG-IP 2000 series (C112), BIG-IP 4000 series (C113), BIG-IP i2000 series (C117), BIG-IP i4000 series (C115), BIG-IP Virtual Edit

CVE-2020-5939 [HIGH] CVE-2020-5939: In versions 16 CVE-2020-5939: In versions 16 In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.3, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, and 13.1.0-13.1.3.4, BIG-IP Virtual Edition (VE) systems on VMware, with an Intel-based 85299 Network Interface Controller (NIC) card and Single Root I/O Virtualization (SR-IOV) enabled on vSphere, may fail and leave the Traffic Management Microkernel (TMM) in a state where it cannot transmit traffic. Affected Products: BIG-IP AAM, BIG

CVE-2020-5945 [HIGH] CWE-79 CVE-2020-5945: In BIG-IP versions 16 CVE-2020-5945: In BIG-IP versions 16 In BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.2.7, undisclosed TMUI page contains a stored cross site scripting vulnerability (XSS). The issue allows a minor privilege escalation for resource admin to escalate to full admin. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Con