F5 Big-Ip Asm vulnerabilities

CVE-2020-5891 [HIGH] CVE-2020-5891: On BIG-IP 15 CVE-2020-5891: On BIG-IP 15 On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, undisclosed HTTP/2 requests can lead to a denial of service when sent to a virtual server configured with the Fallback Host setting and a server-side HTTP/2 profile. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP FPS, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM Affected Versions: 14.1.0 - 14.1.2.3; 15.0.0 -

CVE-2020-5873 [HIGH] CVE-2020-5873: On BIG-IP 15 CVE-2020-5873: On BIG-IP 15 On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.6.1-11.6.5 and BIG-IQ 5.2.0-7.1.0, a user associated with the Resource Administrator role who has access to the secure copy (scp) utility but does not have access to Advanced Shell (bash) can execute arbitrary commands using a maliciously crafted scp request. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analyt

CVE-2020-5888 [HIGH] CVE-2020-5888: On versions 15 CVE-2020-5888: On versions 15 On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for adjacent network (layer 2) attackers to access local daemons and bypass port lockdown settings. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM Affected Versions: 14.0.0 - 14.

CVE-2020-5883 [HIGH] CWE-401 CVE-2020-5883: On BIG-IP 15 CVE-2020-5883: On BIG-IP 15 On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 14.0.0-14.0.1, and 13.1.0-13.1.3.1, when a virtual server is configured with HTTP explicit proxy and has an attached HTTP_PROXY_REQUEST iRule, POST requests sent to the virtual server cause an xdata memory leak. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebA

CVE-2020-5875 [HIGH] CVE-2020-5875: On BIG-IP 15 CVE-2020-5875: On BIG-IP 15 On BIG-IP 15.0.0-15.0.1 and 14.1.0-14.1.2.3, under certain conditions, the Traffic Management Microkernel (TMM) may generate a core file and restart while processing SSL traffic with an HTTP/2 full proxy. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM Affected Versions: 14.1.0 - 14.1.2.3; 15.0.0 - 1

CVE-2020-5881 [HIGH] CVE-2020-5881: On versions 15 CVE-2020-5881: On versions 15 On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, when the BIG-IP Virtual Edition (VE) is configured with VLAN groups and there are devices configured with OSPF connected to it, the Network Device Abstraction Layer (NDAL) Interfaces can lock up and in turn disrupting the communication between the mcpd and tmm processes. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Anal

CVE-2020-5879 [HIGH] CWE-319 CVE-2020-5879: On BIG-IP ASM 11 CVE-2020-5879: On BIG-IP ASM 11 On BIG-IP ASM 11.6.1-11.6.5.1, under certain configurations, the BIG-IP system sends data plane traffic to back-end servers unencrypted, even when a Server SSL profile is applied. Affected Products: BIG-IP ASM Affected Versions: 11.6.1 - 11.6.5.1 F5 Advisory Articles: K88474783 F5 References: https://support.f5.com/csp/article/K88474783

CVE-2020-5882 [HIGH] CVE-2020-5882: On BIG-IP 15 CVE-2020-5882: On BIG-IP 15 On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5, and 11.6.1-11.6.5.1, under certain conditions, the Intel QuickAssist Technology (QAT) cryptography driver may produce a Traffic Management Microkernel (TMM) core file. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller,

CVE-2020-5890 [MEDIUM] CWE-200 CVE-2020-5890: On BIG-IP 15 CVE-2020-5890: On BIG-IP 15 On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1 and BIG-IQ 5.2.0-7.1.0, when creating a QKView, credentials for binding to LDAP servers used for remote authentication of the BIG-IP administrative interface will not fully obfuscate if they contain whitespace. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM,

CVE-2020-5861 [HIGH] CWE-119 CVE-2020-5861: On BIG-IP 12 CVE-2020-5861: On BIG-IP 12 On BIG-IP 12.1.0-12.1.5, the TMM process may produce a core file in some cases when Ram Cache incorrectly optimizes stored data resulting in memory errors. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM Affected Versions: 12.1.0 - 12.1.5 F5 Advisory Articles: K22113131 F5 References: https:/

CVE-2020-5860 [HIGH] CWE-287 CVE-2020-5860: On BIG-IP 15 CVE-2020-5860: On BIG-IP 15 On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS). Affected Products: BIG-IP AAM, BIG-

CVE-2020-5862 [HIGH] CVE-2020-5862: On BIG-IP 15 CVE-2020-5862: On BIG-IP 15 On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.2, under certain conditions, TMM may crash or stop processing new traffic with the DPDK/ENA driver on AWS systems while sending traffic. This issue does not affect any other platforms, hardware or virtual, or any other cloud provider since the affected driver is specific to AWS. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analy

CVE-2020-5858 [HIGH] CVE-2020-5858: On BIG-IP 15 CVE-2020-5858: On BIG-IP 15 On BIG-IP 15.0.0-15.0.1.2, 14.1.0-14.1.2.2, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, users with non-administrator roles (for example, Guest or Resource Administrator) with tmsh shell access can execute arbitrary commands with elevated privilege via a crafted tmsh command. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-

CVE-2020-5859 [HIGH] CVE-2020-5859: On BIG-IP 15 CVE-2020-5859: On BIG-IP 15 On BIG-IP 15.1.0.1, specially formatted HTTP/3 messages may cause TMM to produce a core file. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM Affected Versions: 15.0.0 - 15.0.1.1 F5 Advisory Articles: K61367237 F5 References: https://support.f5.com/csp/article/K61367237

CVE-2020-5857 [HIGH] CVE-2020-5857: On BIG-IP 15 CVE-2020-5857: On BIG-IP 15 On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, undisclosed HTTP behavior may lead to a denial of service. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebAccelerator Affected Versions: 11.5.2 - 11.6.5; 12.1.0 - 12.1.5; 13

CVE-2020-5856 [HIGH] CVE-2020-5856: On BIG-IP 15 CVE-2020-5856: On BIG-IP 15 On BIG-IP 15.0.0-15.0.1.1 and 14.1.0-14.1.2.2, while processing specifically crafted traffic using the default 'xnet' driver, Virtual Edition instances hosted in Amazon Web Services (AWS) may experience a TMM restart. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM Affected Versions: 14.1.0 - 14.1.2.

CVE-2020-5854 [MEDIUM] CVE-2020-5854: On BIG-IP 15 CVE-2020-5854: On BIG-IP 15 On BIG-IP 15.0.0-15.0.1.1, 14.1.0-14.1.2.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.6.0-11.6.5.1, the tmm crashes under certain circumstances when using the connector profile if a specific sequence of connections are made. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-

CVE-2020-5852 [HIGH] CVE-2020-5852: Undisclosed traffic patterns received may cause a disruption of service to the Traffic Management Microkernel (TMM) CVE-2020-5852: Undisclosed traffic patterns received may cause a disruption of service to the Traffic Management Microkernel (TMM) Undisclosed traffic patterns received may cause a disruption of service to the Traffic Management Microkernel (TMM). This vulnerability affects TMM through a virtual server configured with a FastL4 profile. Traffic p

CVE-2020-5851 [MEDIUM] CVE-2020-5851: On impacted versions and platforms the Trusted Platform Module (TPM) system integrity check cannot detect modificatio... CVE-2020-5851: On impacted versions and platforms the Trusted Platform Module (TPM) system integrity check cannot detect modificatio... On impacted versions and platforms the Trusted Platform Module (TPM) system integrity check cannot detect modifications to specific system components. This issue only impacts specific engineering hotfixes

CVE-2019-6687 [HIGH] CWE-295 CVE-2019-6687: On versions 15.0.0-15.0.1.1, the BIG-IP ASM Cloud Security Services profile uses a built-in verifica On versions 15.0.0-15.0.1.1, the BIG-IP ASM Cloud Security Services profile uses a built-in verification mechanism that fails to properly authenticate the X.509 certificate of remote endpoints.