F5: >> Big-Ip Edge Gateway >> 12.1.3.6 Security Vulnerabilities
On versions 11.2.1. and greater, unrestricted Snapshot File Access allows BIG-IP system's user with any role, including Guest Role, to have access and download previously generated and available snapshot files on the BIG-IP configuration utility such as QKView and TCPDumps.
CVSS Score
5.5
EPSS Score
0.001
Published
2018-12-28
On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.
CVSS Score
7.2
EPSS Score
0.003
Published
2018-12-20
On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, when a virtual server using the inflate functionality to process a gzip bomb as a payload, the BIG-IP system will experience a fatal error and may cause the Traffic Management Microkernel (TMM) to produce a core file.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-12-20
In BIG-IP 14.0.0-14.0.0.2, 13.1.0.4-13.1.1.1, or 12.1.3.4-12.1.3.6, If an MPTCP connection receives an abort signal while the initial flow is not the primary flow, the initial flow will remain after the closing procedure is complete. TMM may restart and produce a core file as a result of this condition.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-10-31
On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.6, malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with the non-default "normalize URI" configuration options used in iRules and/or BIG-IP LTM policies.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-10-31
On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an authenticated user to execute JavaScript for the currently logged-in user.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-10-19
On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a reflected Cross Site Scripting (XSS) vulnerability in an undisclosed Configuration Utility page.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-10-19
The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.
CVSS Score
7.5
EPSS Score
0.017
Published
2018-09-06
Page 7