National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:f5:big-ip_policy_enforcement_manager:13.0.0:hf2
There are 105 matching records.
Displaying matches 81 through 100.
Vuln ID Summary CVSS Severity
CVE-2018-5506

In F5 BIG-IP 13.0.0, 12.1.0-12.1.2, 11.6.1, 11.5.1-11.5.5, or 11.2.1 the Apache modules apache_auth_token_mod and mod_auth_f5_auth_token.cpp allow possible unauthenticated bruteforce on the em_server_ip authorization parameter to obtain which SSL client certificates used for mutual authentication between BIG-IQ or Enterprise Manager (EM) and managed BIG-IP devices.

Published: April 13, 2018; 09:29:00 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 5.0 MEDIUM
CVE-2017-6155

On F5 BIG-IP 13.0.0, 12.0.0-12.1.3.1, 11.6.0-11.6.2, 11.4.1-11.5.5, or 11.2.1, malformed SPDY or HTTP/2 requests may result in a disruption of service to TMM. Data plane is only exposed when a SPDY or HTTP/2 profile is attached to a virtual server. There is no control plane exposure.

Published: April 13, 2018; 09:29:00 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2017-6148

Responses to SOCKS proxy requests made through F5 BIG-IP version 13.0.0, 12.0.0-12.1.3.1, 11.6.1-11.6.2, or 11.5.1-11.5.5 may cause a disruption of services provided by TMM. The data plane is impacted and exposed only when a SOCKS proxy profile is attached to a Virtual Server. The control plane is not impacted by this vulnerability.

Published: April 13, 2018; 09:29:00 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2018-5509

On F5 BIG-IP versions 13.0.0 or 12.1.0 - 12.1.3.1, when a specifically configured virtual server receives traffic of an undisclosed nature, TMM will crash and take the configured failover action, potentially causing a denial of service. The configuration which exposes this issue is not common and in general does not work when enabled in previous versions of BIG-IP. Starting in 12.1.0, BIG-IP will crash if the configuration which exposes this issue is enabled and the virtual server receives non TCP traffic. With the fix of this issue, additional configuration validation logic has been added to prevent this configuration from being applied to a virtual server. There is only data plane exposure to this issue with a non-standard configuration. There is no control plane exposure.

Published: March 22, 2018; 02:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 7.8 HIGH
CVE-2018-5504

In some circumstances, the Traffic Management Microkernel (TMM) does not properly handle certain malformed Websockets requests/responses, which allows remote attackers to cause a denial-of-service (DoS) or possible remote code execution on the F5 BIG-IP system running versions 13.0.0 - 13.1.0.3 or 12.1.0 - 12.1.3.1.

Published: March 22, 2018; 02:29:00 PM -04:00
V3.0: 8.1 HIGH
    V2: 9.3 HIGH
CVE-2018-5503

On F5 BIG-IP versions 13.0.0 - 13.1.0.3 or 12.0.0 - 12.1.3.1, TMM may restart when processing a specifically crafted page through a virtual server with an associated PEM policy that has content insertion as an action.

Published: March 22, 2018; 02:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2018-5502

On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disrupt services on the BIG-IP system with maliciously crafted client certificate. This vulnerability affects virtual servers associated with Client SSL profile which enables the use of client certificate authentication. Client certificate authentication is not enabled by default in Client SSL profile. There is no control plane exposure.

Published: March 22, 2018; 02:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2018-5501

In some circumstances, on F5 BIG-IP systems running 13.0.0, 12.1.0 - 12.1.3.1, any 11.6.x or 11.5.x release, or 11.2.1, TCP DNS profile allows excessive buffering due to lack of flow control.

Published: March 01, 2018; 11:29:00 AM -05:00
V3.0: 5.9 MEDIUM
    V2: 4.3 MEDIUM
CVE-2018-5500

On F5 BIG-IP systems running 13.0.0, 12.1.0 - 12.1.3.1, or 11.6.1 - 11.6.2, every Multipath TCP (MCTCP) connection established leaks a small amount of memory. Virtual server using TCP profile with Multipath TCP (MCTCP) feature enabled will be affected by this issue.

Published: March 01, 2018; 11:29:00 AM -05:00
V3.0: 5.9 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-6150

Under certain conditions for F5 BIG-IP systems 13.0.0 or 12.1.0 - 12.1.3.1, using FastL4 profiles, when the Reassemble IP Fragments option is disabled (default), some specific large fragmented packets may restart the Traffic Management Microkernel (TMM).

Published: March 01, 2018; 11:29:00 AM -05:00
V3.0: 7.5 HIGH
    V2: 7.8 HIGH
CVE-2017-6169

In versions 13.0.0, 12.0.0-12.1.3, or 11.6.0-11.6.2, an F5 BIG-IP virtual server using the URL categorization feature may cause the Traffic Management Microkernel (TMM) to produce a core file when it receives malformed URLs during categorization.

Published: February 06, 2018; 08:29:00 AM -05:00
V3.0: 6.8 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-6167

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, race conditions in iControl REST may lead to commands being executed with different privilege levels than expected.

Published: December 21, 2017; 12:29:00 PM -05:00
V3.0: 7.5 HIGH
    V2: 8.5 HIGH
CVE-2017-6164

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator and WebSafe software version 13.0.0, 12.0.0 - 12.1.2, 11.6.0 - 11.6.1 and 11.5.0 - 11.5.4, in some circumstances, Traffic Management Microkernel (TMM) does not properly handle certain malformed TLS1.2 records, which allows remote attackers to cause a denial-of-service (DoS) or possible remote command execution on the BIG-IP system.

Published: December 21, 2017; 12:29:00 PM -05:00
V3.0: 8.1 HIGH
    V2: 6.8 MEDIUM
CVE-2017-6151

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator and WebSafe software version 13.0.0, undisclosed requests made to BIG-IP virtual servers which make use of the "HTTP/2 profile" may result in a disruption of service to TMM.

Published: December 21, 2017; 12:29:00 PM -05:00
V3.0: 7.5 HIGH
    V2: 7.8 HIGH
CVE-2017-6138

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default "normalize URI" configuration options used in iRules and/or BIG-IP LTM policies.

Published: December 21, 2017; 12:29:00 PM -05:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2017-6136

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0 and 12.0.0 - 12.1.2, undisclosed traffic patterns sent to BIG-IP virtual servers, with the TCP Fast Open and Tail Loss Probe options enabled in the associated TCP profile, may cause a disruption of service to the Traffic Management Microkernel (TMM).

Published: December 21, 2017; 12:29:00 PM -05:00
V3.0: 5.9 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-6135

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0, a slow memory leak as a result of undisclosed IPv4 or IPv6 packets sent to BIG-IP management port or self IP addresses may lead to out of memory (OOM) conditions.

Published: December 21, 2017; 12:29:00 PM -05:00
V3.0: 7.5 HIGH
    V2: 7.8 HIGH
CVE-2017-6134

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0, 12.1.0 - 12.1.2 and 11.5.1 - 11.6.1, an undisclosed sequence of packets, sourced from an adjacent network may cause TMM to crash.

Published: December 21, 2017; 12:29:00 PM -05:00
V3.0: 6.5 MEDIUM
    V2: 3.3 LOW
CVE-2017-6133

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, undisclosed HTTP requests may cause a denial of service.

Published: December 21, 2017; 12:29:00 PM -05:00
V3.0: 7.5 HIGH
    V2: 7.8 HIGH
CVE-2017-6132

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and Websafe software version 13.0.0, 12.0.0 to 12.1.2, 11.6.0 to 11.6.1 and 11.5.0 - 11.5.4, an undisclosed sequence of packets sent to BIG-IP High Availability state mirror listeners (primary and/or secondary IP) may cause TMM to restart.

Published: December 21, 2017; 12:29:00 PM -05:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM