Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for BIG-IP Advanced WAF, ASM, and APM by F5

    CVE-2022-26890 (GCVE-0-2022-26890)

    Vulnerability from nvd – Published: 2022-05-05 16:06 – Updated: 2024-09-16 17:03
    VLAI
    Summary
    On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
    CWE
    • CWE-670 - Always-Incorrect Control Flow Implementation
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 BIG-IP Advanced WAF, ASM, and APM Unaffected: 12.1.x
    Unaffected: 11.6.x
    Unaffected: 17.0.0 , < 17.0.x* (custom)
    Affected: 16.1.x , < 16.1.2.1 (custom)
    Affected: 15.1.x , < 15.1.5 (custom)
    Affected: 14.1.x , < 14.1.4.6 (custom)
    Affected: 13.1.x , < 13.1.5 (custom)
    Create a notification for this product.
    Date Public
    2022-05-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:18:38.060Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K03442392"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "BIG-IP Advanced WAF, ASM, and APM",
              "vendor": "F5",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "12.1.x"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.x"
                },
                {
                  "lessThan": "17.0.x*",
                  "status": "unaffected",
                  "version": "17.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "16.1.2.1",
                  "status": "affected",
                  "version": "16.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "15.1.5",
                  "status": "affected",
                  "version": "15.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "14.1.4.6",
                  "status": "affected",
                  "version": "14.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "13.1.5",
                  "status": "affected",
                  "version": "13.1.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-05-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the \"Use APM Username and Session ID\" option is enabled, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-670",
                  "description": "CWE-670 Always-Incorrect Control Flow Implementation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-05T16:06:28.000Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.f5.com/csp/article/K03442392"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "f5sirt@f5.com",
              "DATE_PUBLIC": "2022-05-04T14:00:00.000Z",
              "ID": "CVE-2022-26890",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "BIG-IP Advanced WAF, ASM, and APM",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "!\u003e=",
                                "version_name": "17.0.x",
                                "version_value": "17.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "16.1.x",
                                "version_value": "16.1.2.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "15.1.x",
                                "version_value": "15.1.5"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "14.1.x",
                                "version_value": "14.1.4.6"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "13.1.x",
                                "version_value": "13.1.5"
                              },
                              {
                                "version_affected": "!",
                                "version_name": "12.1.x",
                                "version_value": "12.1.x"
                              },
                              {
                                "version_affected": "!",
                                "version_name": "11.6.x",
                                "version_value": "11.6.x"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "F5"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the \"Use APM Username and Session ID\" option is enabled, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated"
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-670 Always-Incorrect Control Flow Implementation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.f5.com/csp/article/K03442392",
                  "refsource": "MISC",
                  "url": "https://support.f5.com/csp/article/K03442392"
                }
              ]
            },
            "source": {
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2022-26890",
        "datePublished": "2022-05-05T16:06:28.626Z",
        "dateReserved": "2022-04-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:03:22.543Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-26890 (GCVE-0-2022-26890)

    Vulnerability from cvelistv5 – Published: 2022-05-05 16:06 – Updated: 2024-09-16 17:03
    VLAI
    Summary
    On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
    CWE
    • CWE-670 - Always-Incorrect Control Flow Implementation
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 BIG-IP Advanced WAF, ASM, and APM Unaffected: 12.1.x
    Unaffected: 11.6.x
    Unaffected: 17.0.0 , < 17.0.x* (custom)
    Affected: 16.1.x , < 16.1.2.1 (custom)
    Affected: 15.1.x , < 15.1.5 (custom)
    Affected: 14.1.x , < 14.1.4.6 (custom)
    Affected: 13.1.x , < 13.1.5 (custom)
    Create a notification for this product.
    Date Public
    2022-05-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:18:38.060Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K03442392"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "BIG-IP Advanced WAF, ASM, and APM",
              "vendor": "F5",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "12.1.x"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.x"
                },
                {
                  "lessThan": "17.0.x*",
                  "status": "unaffected",
                  "version": "17.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "16.1.2.1",
                  "status": "affected",
                  "version": "16.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "15.1.5",
                  "status": "affected",
                  "version": "15.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "14.1.4.6",
                  "status": "affected",
                  "version": "14.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "13.1.5",
                  "status": "affected",
                  "version": "13.1.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-05-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the \"Use APM Username and Session ID\" option is enabled, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-670",
                  "description": "CWE-670 Always-Incorrect Control Flow Implementation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-05T16:06:28.000Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.f5.com/csp/article/K03442392"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "f5sirt@f5.com",
              "DATE_PUBLIC": "2022-05-04T14:00:00.000Z",
              "ID": "CVE-2022-26890",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "BIG-IP Advanced WAF, ASM, and APM",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "!\u003e=",
                                "version_name": "17.0.x",
                                "version_value": "17.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "16.1.x",
                                "version_value": "16.1.2.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "15.1.x",
                                "version_value": "15.1.5"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "14.1.x",
                                "version_value": "14.1.4.6"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "13.1.x",
                                "version_value": "13.1.5"
                              },
                              {
                                "version_affected": "!",
                                "version_name": "12.1.x",
                                "version_value": "12.1.x"
                              },
                              {
                                "version_affected": "!",
                                "version_name": "11.6.x",
                                "version_value": "11.6.x"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "F5"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the \"Use APM Username and Session ID\" option is enabled, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated"
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-670 Always-Incorrect Control Flow Implementation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.f5.com/csp/article/K03442392",
                  "refsource": "MISC",
                  "url": "https://support.f5.com/csp/article/K03442392"
                }
              ]
            },
            "source": {
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2022-26890",
        "datePublished": "2022-05-05T16:06:28.626Z",
        "dateReserved": "2022-04-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:03:22.543Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }