CVE-2023-22326 – iControl REST and tmsh vulnerability
https://notcve.org/view.php?id=CVE-2023-22326
In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vulnerabilities exist in the iControl REST and TMOS shell (tmsh) dig command which may allow an authenticated attacker with resource administrator or administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K83284425 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2023-22323 – BIG-IP SSL OCSP Authentication profile vulnerability
https://notcve.org/view.php?id=CVE-2023-22323
In BIP-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when OCSP authentication profile is configured on a virtual server, undisclosed requests can cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K56412001 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-41983 – BIG-IP TMM Vulnerability CVE-2022-41983
https://notcve.org/view.php?id=CVE-2022-41983
On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even with an SSL Profile applied. En plataformas de hardware específicas, En BIG-IP versiones 16.1.x anteriores a 16.1.3.1, 15.1.x anteriores a 15.1.7, 14.1.x anteriores a 14.1.5.1 y todas las versiones de la 13.1.x, mientras es usado Intel QAT (QuickAssist Technology) y el cifrado AES-GCM/CCM, las condiciones no reveladas pueden causar que BIG-IP envíe datos sin cifrar incluso con un perfil SSL aplicado • https://support.f5.com/csp/article/K31523465 • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2022-33203 – BIG-IP APM and F5 SSL Orchestrator vulnerability CVE-2022-33203
https://notcve.org/view.php?id=CVE-2022-33203
In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, and 14.1.x before 14.1.5, when a BIG-IP APM access policy with Service Connect agent is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En BIG-IP versiones 16.1.x anteriores a 16.1.3, 15.1.x anteriores a 15.1.6.1 y 14.1.x anteriores a 14.1.5, cuando es configurado una política de acceso de BIG-IP APM con el agente Service Connect en un servidor virtual, las peticiones no reveladas pueden causar un aumento en el uso de los recursos de memoria. Nota: Las versiones de software que han alcanzado el fin del soporte técnico (EoTS) no son evaluadas • https://support.f5.com/csp/article/K52534925 • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-23029
https://notcve.org/view.php?id=CVE-2022-23029
On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En BIG-IP versiones 16.x anteriores a 16.1.0, 15.1.x anteriores a 15.1.4.1, 14.1.x anteriores a 14.1.4.4 y todas las versiones de 13.1.x, 12.1.x y 11.6.x, cuando es configurado un perfil FastL4 en un servidor virtual, el tráfico no revelado puede causar un aumento en el uso de recursos de memoria. Nota: Las versiones de software que han alcanzado el Fin de Soporte Técnico (EoTS) no son evaluadas • https://support.f5.com/csp/article/K50343028 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •