F5 Ssl Orchestrator vulnerabilities

28 known vulnerabilities affecting f5/ssl_orchestrator.

Total CVEs

28

CISA KEV

3

actively exploited

Public exploits

2

Exploited in wild

3

Severity breakdown

CRITICAL6HIGH13MEDIUM9

Vulnerabilities

Page 2 of 2

CVE-2020-5922HIGHCVSS 8.8≥ 11.6.1, ≤ 11.6.5≥ 12.1.0, < 12.1.5.2+3 more2020-08-26

CVE-2020-5922 [HIGH] CWE-352 CVE-2020-5922: In BIG-IP versions 15.0.0-15.1.0.4, 14.1.0-14.1.2.6, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11 In BIG-IP versions 15.0.0-15.1.0.4, 14.1.0-14.1.2.6, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, iControl REST does not implement Cross Site Request Forgery protections for users which make use of Basic Authentication in a web browser.

CVE-2020-5913HIGHCVSS 7.4≥ 11.6.1, < 11.6.5≥ 12.1.0, < 12.1.5.2+4 more2020-08-26

CVE-2020-5913 [HIGH] CWE-295 CVE-2020-5913: In versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, In versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, the BIG-IP Client or Server SSL profile ignores revoked certificates, even when a valid CRL is present. This impacts SSL/TLS connections and may result in a man-in-the-middle attack on the connections.

CVE-2020-5916MEDIUMCVSS 6.8≥ 15.0.0, < 15.0.1.4≥ 15.1.0, < 15.1.0.52020-08-26

CVE-2020-5916 [MEDIUM] CWE-269 CVE-2020-5916: In BIG-IP versions 15.1.0-15.1.0.4 and 15.0.0-15.0.1.3 the Certificate Administrator user role and h In BIG-IP versions 15.1.0-15.1.0.4 and 15.0.0-15.0.1.3 the Certificate Administrator user role and higher privileged roles can perform arbitrary file reads outside of the web root directory.

CVE-2020-5902CRITICALCVSS 9.8KEVPoC≥ 11.6.1, < 11.6.5.2≥ 12.1.0, < 12.1.5.2+4 more2020-07-01

CVE-2020-5902 [CRITICAL] CWE-22 CVE-2020-5902: In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11 In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

CVE-2019-6674HIGHCVSS 7.5≥ 14.0.0, ≤ 14.1.2≥ 15.0.0, ≤ 15.0.1+2 more2019-11-27

CVE-2019-6674 [HIGH] CVE-2019-6674: On F5 SSL Orchestrator 15.0.0-15.0.1 and 14.0.0-14.1.2, TMM may crash when processing SSLO data in a On F5 SSL Orchestrator 15.0.0-15.0.1 and 14.0.0-14.1.2, TMM may crash when processing SSLO data in a service-chaining configuration.

CVE-2019-6630HIGHCVSS 7.5≥ 14.0.0, < 14.0.0.5≥ 14.1.0, < 14.1.0.62019-07-03

CVE-2019-6630 [HIGH] CVE-2019-6630: On F5 SSL Orchestrator 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, undisclosed traffic flow may cause TMM t On F5 SSL Orchestrator 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, undisclosed traffic flow may cause TMM to restart under certain circumstances.

CVE-2019-6627MEDIUMCVSS 5.9≥ 14.1.0, < 14.1.0.62019-07-03

CVE-2019-6627 [MEDIUM] CWE-362 CVE-2019-6627: On F5 SSL Orchestrator 14.1.0-14.1.0.5, on rare occasions, specific to a certain race condition, TMM On F5 SSL Orchestrator 14.1.0-14.1.0.5, on rare occasions, specific to a certain race condition, TMM may restart when SSL Forward Proxy enforces the bypass action for an SSL Orchestrator transparent virtual server with SNAT enabled.

CVE-2017-6130HIGHCVSS 7.4v2.02017-04-06

CVE-2017-6130 [HIGH] CWE-918 CVE-2017-6130: F5 SSL Intercept iApp 1.5.0 - 1.5.7 and SSL Orchestrator 2.0 is vulnerable to a Server-Side Request F5 SSL Intercept iApp 1.5.0 - 1.5.7 and SSL Orchestrator 2.0 is vulnerable to a Server-Side Request Forgery (SSRF) attack when deployed using the Dynamic Domain Bypass (DDB) feature feature plus SNAT Auto Map option for egress traffic.

← Previous2 / 2