F5 Big-Ip Ltm vulnerabilities

CVE-2023-22422 [HIGH] CWE-120 CVE-2023-22422: On BIG-IP versions 17 CVE-2023-22422: On BIG-IP versions 17 On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, when a HTTP profile with the non-default Enforcement options of Enforce HTTP Compliance and Unknown Methods: Reject are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not ev

CVE-2023-22839 [HIGH] CWE-476 CVE-2023-22839: On BIG-IP versions 17 CVE-2023-22839: On BIG-IP versions 17 On BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all version of 13.1.x, when a DNS profile with the Rapid Response Mode setting enabled is configured on a virtual server with hardware SYN cookies enabled, undisclosed requests cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have r

CVE-2023-22664 [HIGH] CWE-400 CVE-2023-22664: On BIG-IP versions 17 CVE-2023-22664: On BIG-IP versions 17 On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Pr

CVE-2023-22842 [HIGH] CWE-121 CVE-2023-22842: On BIG-IP versions 16 CVE-2023-22842: On BIG-IP versions 16 On BIG-IP versions 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a SIP profile is configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products:

CVE-2023-22323 [HIGH] CWE-770 CVE-2023-22323: In BIP-IP versions 17 CVE-2023-22323: In BIP-IP versions 17 In BIP-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when OCSP authentication profile is configured on a virtual server, undisclosed requests can cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Produ

CVE-2023-22302 [MEDIUM] CWE-772 CVE-2023-22302: In BIG-IP versions 17 CVE-2023-22302: In BIG-IP versions 17 In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker’s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of

CVE-2023-22326 [MEDIUM] CWE-732 CVE-2023-22326: In BIG-IP versions 17 CVE-2023-22326: In BIG-IP versions 17 In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vulnerabilities exist in the iControl REST and TMOS shell (tmsh) dig command which may allow an authenticated attacker with resource administrator or administrator role privi

CVE-2023-22418 [MEDIUM] CWE-601 CVE-2023-22418: On versions 17 CVE-2023-22418: On versions 17 On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.7, 14.1.x before 14.1.5.3, and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious attacker to build an open redirect URI. Note: Software versions which have reached End of Technical Support (EoTS) are

CVE-2022-41622 [HIGH] CWE-352 CVE-2022-41622: In all versions,  BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP CVE-2022-41622: In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are n

CVE-2022-41800 [HIGH] CWE-77 CVE-2022-41800: In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may ... CVE-2022-41800: In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may ... In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iContr

CVE-2022-41787 [HIGH] CWE-476 CVE-2022-41787: In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x be In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, when DNS profile is configured on a virtual server with DNS Express enabled, undisclosed DNS queries with DNSSEC can cause TMM to terminate.

CVE-2022-41832 [HIGH] CWE-401 CVE-2022-41832: In BIG-IP versions 17 CVE-2022-41832: In BIG-IP versions 17 In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, when a SIP profile is configured on a virtual server, undisclosed messages can cause an increase in memory resource utilization. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM,

CVE-2022-41624 [HIGH] CWE-401 CVE-2022-41624: In BIG-IP versions 17 CVE-2022-41624: In BIG-IP versions 17 In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.2, 15.1.x before 15.1.7, 14.1.x before 14.1.5.2, and 13.1.x before 13.1.5.1, when a sideband iRule is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM,

CVE-2022-41833 [HIGH] CWE-400 CVE-2022-41833: In all BIG-IP 13 CVE-2022-41833: In all BIG-IP 13 In all BIG-IP 13.1.x versions, when an iRule containing the HTTP::collect command is configured on a virtual server, undisclosed requests can cause Traffic Management Microkernel (TMM) to terminate. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM Affected Versions: 13.1.0 - 13.1.5

CVE-2022-41770 [MEDIUM] CWE-400 CVE-2022-41770: In BIG-IP versions 17 CVE-2022-41770: In BIG-IP versions 17 In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP D

CVE-2022-36795 [MEDIUM] CWE-682 CVE-2022-36795: In BIG-IP versions 17 CVE-2022-36795: In BIG-IP versions 17 In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, and 14.1.x before 14.1.5.1, when an LTM TCP profile with Auto Receive Window Enabled is configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-

CVE-2022-41694 [MEDIUM] CWE-20 CVE-2022-41694: In BIG-IP versions 16 CVE-2022-41694: In BIG-IP versions 16 In BIG-IP versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, and BIG-IQ versions 8.x before 8.2.0.1 and all versions of 7.x, when an SSL key is imported on a BIG-IP or BIG-IQ system, undisclosed input can cause MCPD to terminate. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP FPS

CVE-2022-41983 [LOW] CWE-319 CVE-2022-41983: On specific hardware platforms, on BIG-IP versions 16 CVE-2022-41983: On specific hardware platforms, on BIG-IP versions 16 On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even with an SSL Profile applied. Af

CVE-2022-34651 [HIGH] CWE-476 CVE-2022-34651: In BIG-IP Versions 16 CVE-2022-34651: In BIG-IP Versions 16 In BIG-IP Versions 16.1.x before 16.1.3.1 and 15.1.x before 15.1.6.1, when an LTM Client or Server SSL profile with TLS 1.3 enabled is configured on a virtual server, along with an iRule that calls HTTP::respond, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-32455 [HIGH] CWE-119 CVE-2022-32455: In BIG-IP Versions 16 CVE-2022-32455: In BIG-IP Versions 16 In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when a BIG-IP LTM Client SSL profile is configured on a virtual server to perform client certificate authentication with session tickets enabled, undisclosed requests cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End o