F5 Big-Ip Sslo vulnerabilities

CVE-2022-23025 [HIGH] CWE-476 CVE-2022-23025: On BIG-IP version 16 CVE-2022-23025: On BIG-IP version 16 On BIG-IP version 16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, when a SIP ALG profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM,

CVE-2022-23030 [MEDIUM] CWE-400 CVE-2022-23030: On version 16 CVE-2022-23030: On version 16 On version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when the BIG-IP Virtual Edition (VE) uses the ixlv driver (which is used in SR-IOV mode and requires Intel X710/XL710/XXV710 family of network adapters on the Hypervisor) and TCP Segmentation Offload configuration is enabled, undisclosed requests may cause an increase in CPU resource utilization.

CVE-2022-23029 [MEDIUM] CWE-367 CVE-2022-23029: On BIG-IP version 16 CVE-2022-23029: On BIG-IP version 16 On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP AAM, BI

CVE-2022-23023 [MEDIUM] CWE-400 CVE-2022-23023: On BIG-IP version 16 CVE-2022-23023: On BIG-IP version 16 On BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ all versions of 8.x and 7.x, undisclosed requests by an authenticated iControl REST user can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products

CVE-2022-23027 [MEDIUM] CWE-697 CVE-2022-23027: On BIG-IP versions 15 CVE-2022-23027: On BIG-IP versions 15 On BIG-IP versions 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2, when a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are configured on the same virtual server, undisclosed requests can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technic

CVE-2021-23045 [HIGH] CWE-20 CVE-2021-23045: On BIG-IP version 16 CVE-2021-23045: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when an SCTP profile with multiple paths is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2021-23042 [HIGH] CWE-400 CVE-2021-23042: On BIG-IP version 16 CVE-2021-23042: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, and 12.1.x before 12.1.6, when an HTTP profile is configured on a virtual server, undisclosed requests can cause a significant increase in system resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-I

CVE-2021-23025 [HIGH] CWE-78 CVE-2021-23025: On version 15 CVE-2021-23025: On version 15 On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Advanced WAF, BIG-I

CVE-2021-23026 [HIGH] CWE-352 CVE-2021-23026: BIG-IP version 16 CVE-2021-23026: BIG-IP version 16 BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: BIG-IP AAM,

CVE-2021-23027 [MEDIUM] CWE-79 CVE-2021-23027: On version 16 CVE-2021-23027: On version 16 On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Prod

CVE-2021-23011 [HIGH] CWE-400 CVE-2021-23011: On versions 16 CVE-2021-23011: On versions 16 On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, when the BIG-IP system is buffering packet fragments for reassembly, the Traffic Management Microkernel (TMM) may consume an excessive amount of resources, eventually leading to a restart and failover event. Note: Software versions which have reached End

CVE-2021-23009 [HIGH] CWE-835 CVE-2021-23009: On BIG-IP version 16 CVE-2021-23009: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic. TMM takes the configured HA action when the TMM process is aborted. There is no control plane exposure, this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are no

CVE-2021-23015 [HIGH] CWE-863 CVE-2021-23015: On BIG-IP 15 CVE-2021-23015: On BIG-IP 15 On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected Products: B

CVE-2021-23013 [HIGH] CVE-2021-23013: On BIG-IP versions 16 CVE-2021-23013: On BIG-IP versions 16 On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, the Traffic Management Microkernel (TMM) may stop responding when processing Stream Control Transmission Protocol (SCTP) traffic under certain conditions. This vulnerability affects TMM by way of a virtual server configured with an SCTP profile. Note: Software v

CVE-2021-23012 [HIGH] CWE-78 CVE-2021-23012: On BIG-IP versions 16 CVE-2021-23012: On BIG-IP versions 16 On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP. Note: Software versions which have reached End of Technical Support (EoTS) are

CVE-2021-23007 [MEDIUM] CVE-2021-23007: On BIG-IP versions 14 CVE-2021-23007: On BIG-IP versions 14 On BIG-IP versions 14.1.4 and 16.0.1.1, when the Traffic Management Microkernel (TMM) process handles certain undisclosed traffic, it may start dropping all fragmented IP traffic. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Advanced WAF, BIG-IP Analytics, BIG-IP DHD, BIG

CVE-2021-22978 [HIGH] CWE-79 CVE-2021-22978: On BIG-IP version 16 CVE-2021-22978: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role. Note: Software versions which have reached End of Software Development (EoSD) a

CVE-2021-22977 [HIGH] CVE-2021-22977: On BIG-IP version 16 CVE-2021-22977: On BIG-IP version 16 On BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to restart and generate a core file. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Advanced WAF, BIG-IP Analytics, BIG-IP DHD, BIG-IP DNS, B

CVE-2021-22974 [HIGH] CWE-362 CVE-2021-22974: On BIG-IP version 16 CVE-2021-22974: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of BIG-IQ 7.x and 6.x, an authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level. This vulnerability is due to an incomplete fix for CVE-201

CVE-2021-22975 [HIGH] CVE-2021-22975: On BIG-IP version 16 CVE-2021-22975: On BIG-IP version 16 On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, and 14.1.x before 14.1.3.1, under some circumstances, Traffic Management Microkernel (TMM) may restart on the BIG-IP system while passing large bursts of traffic. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Ad