Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for big-ip_service_proxy by f5

    CVE-2023-23555 (GCVE-0-2023-23555)

    Vulnerability from nvd – Published: 2023-02-01 17:57 – Updated: 2025-03-26 15:59
    VLAI
    Title
    BIG-IP Virtual Edition vulnerability
    Summary
    On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to before 14.1.5.3, and BIG-IP SPK beginning in 1.5.0 to before 1.6.0, when FastL4 profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-665 - Improper Initialization
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 BIG-IP Affected: 15.1.4 , < 15.1.8 (semver)
    Affected: 14.1.5 , < 14.1.5.3 (semver)
    Create a notification for this product.
    F5 BIG-IP SPK Affected: 1.5.0 , < 1.6.0 (semver)
    Create a notification for this product.
    Date Public
    2023-02-01 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:35:33.615Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K24572686"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-23555",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-26T15:56:12.818627Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-26T15:59:59.546Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "modules": [
                "All modules"
              ],
              "product": "BIG-IP",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "15.1.8",
                  "status": "affected",
                  "version": "15.1.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.1.5.3",
                  "status": "affected",
                  "version": "14.1.5",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "BIG-IP SPK",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.6.0",
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2023-02-01T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to before 14.1.5.3, and BIG-IP SPK beginning in 1.5.0 to before 1.6.0, when FastL4 profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\u003cbr\u003e"
                }
              ],
              "value": "On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to before 14.1.5.3, and BIG-IP SPK beginning in 1.5.0 to before 1.6.0, when FastL4 profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-665",
                  "description": "CWE-665 Improper Initialization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-01T17:57:02.731Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "url": "https://my.f5.com/manage/s/article/K24572686"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "BIG-IP Virtual Edition vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2023-23555",
        "datePublished": "2023-02-01T17:57:02.731Z",
        "dateReserved": "2023-01-13T06:43:46.147Z",
        "dateUpdated": "2025-03-26T15:59:59.546Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22664 (GCVE-0-2023-22664)

    Vulnerability from nvd – Published: 2023-02-01 17:56 – Updated: 2025-03-26 17:48
    VLAI
    Title
    BIG-IP HTTP/2 profile vulnerability
    Summary
    On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 BIG-IP Affected: 17.0.0 , < 17.0.0.2 (semver)
    Affected: 16.1.0 , < 16.1.3.3 (semver)
    Create a notification for this product.
    F5 BIG-IP SPK Affected: 1.6.0 , < * (semver)
    Create a notification for this product.
    Date Public
    2023-02-01 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:13:49.717Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K56676554"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22664",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-26T17:48:50.458671Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-26T17:48:59.560Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "modules": [
                "All modules"
              ],
              "product": "BIG-IP",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "17.0.0.2",
                  "status": "affected",
                  "version": "17.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.1.3.3",
                  "status": "affected",
                  "version": "16.1.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "BIG-IP SPK",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2023-02-01T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\u003cbr\u003e"
                }
              ],
              "value": "On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-01T17:56:15.585Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "url": "https://my.f5.com/manage/s/article/K56676554"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "BIG-IP HTTP/2 profile vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2023-22664",
        "datePublished": "2023-02-01T17:56:15.585Z",
        "dateReserved": "2023-01-13T06:43:37.176Z",
        "dateUpdated": "2025-03-26T17:48:59.560Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2002-20001 (GCVE-0-2002-20001)

    Vulnerability from nvd – Published: 2021-11-11 00:00 – Updated: 2025-02-13 16:27
    VLAI
    Summary
    The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-08T04:06:55.288Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Balasys/dheater"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.reddit.com/r/netsec/comments/qdoosy/server_overload_by_enforcing_dhe_key_exchange/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/mozilla/ssl-config-generator/issues/162"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.suse.com/support/kb/doc/?id=000020510"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K83120834"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://dheatattack.com"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gitlab.com/dheatattack/dheater"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://dheatattack.gitlab.io/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://ieeexplore.ieee.org/document/10374117"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-23T06:51:09.585Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/Balasys/dheater"
            },
            {
              "url": "https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol"
            },
            {
              "url": "https://www.reddit.com/r/netsec/comments/qdoosy/server_overload_by_enforcing_dhe_key_exchange/"
            },
            {
              "url": "https://github.com/mozilla/ssl-config-generator/issues/162"
            },
            {
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf"
            },
            {
              "url": "https://www.suse.com/support/kb/doc/?id=000020510"
            },
            {
              "url": "https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/"
            },
            {
              "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt"
            },
            {
              "url": "https://support.f5.com/csp/article/K83120834"
            },
            {
              "url": "https://dheatattack.com"
            },
            {
              "url": "https://gitlab.com/dheatattack/dheater"
            },
            {
              "url": "https://dheatattack.gitlab.io/"
            },
            {
              "url": "https://ieeexplore.ieee.org/document/10374117"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2002-20001",
        "datePublished": "2021-11-11T00:00:00.000Z",
        "dateReserved": "2021-11-11T00:00:00.000Z",
        "dateUpdated": "2025-02-13T16:27:06.803Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-23555 (GCVE-0-2023-23555)

    Vulnerability from cvelistv5 – Published: 2023-02-01 17:57 – Updated: 2025-03-26 15:59
    VLAI
    Title
    BIG-IP Virtual Edition vulnerability
    Summary
    On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to before 14.1.5.3, and BIG-IP SPK beginning in 1.5.0 to before 1.6.0, when FastL4 profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-665 - Improper Initialization
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 BIG-IP Affected: 15.1.4 , < 15.1.8 (semver)
    Affected: 14.1.5 , < 14.1.5.3 (semver)
    Create a notification for this product.
    F5 BIG-IP SPK Affected: 1.5.0 , < 1.6.0 (semver)
    Create a notification for this product.
    Date Public
    2023-02-01 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:35:33.615Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K24572686"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-23555",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-26T15:56:12.818627Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-26T15:59:59.546Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "modules": [
                "All modules"
              ],
              "product": "BIG-IP",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "15.1.8",
                  "status": "affected",
                  "version": "15.1.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.1.5.3",
                  "status": "affected",
                  "version": "14.1.5",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "BIG-IP SPK",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.6.0",
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2023-02-01T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to before 14.1.5.3, and BIG-IP SPK beginning in 1.5.0 to before 1.6.0, when FastL4 profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\u003cbr\u003e"
                }
              ],
              "value": "On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to before 14.1.5.3, and BIG-IP SPK beginning in 1.5.0 to before 1.6.0, when FastL4 profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-665",
                  "description": "CWE-665 Improper Initialization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-01T17:57:02.731Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "url": "https://my.f5.com/manage/s/article/K24572686"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "BIG-IP Virtual Edition vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2023-23555",
        "datePublished": "2023-02-01T17:57:02.731Z",
        "dateReserved": "2023-01-13T06:43:46.147Z",
        "dateUpdated": "2025-03-26T15:59:59.546Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22664 (GCVE-0-2023-22664)

    Vulnerability from cvelistv5 – Published: 2023-02-01 17:56 – Updated: 2025-03-26 17:48
    VLAI
    Title
    BIG-IP HTTP/2 profile vulnerability
    Summary
    On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 BIG-IP Affected: 17.0.0 , < 17.0.0.2 (semver)
    Affected: 16.1.0 , < 16.1.3.3 (semver)
    Create a notification for this product.
    F5 BIG-IP SPK Affected: 1.6.0 , < * (semver)
    Create a notification for this product.
    Date Public
    2023-02-01 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:13:49.717Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K56676554"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22664",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-26T17:48:50.458671Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-26T17:48:59.560Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "modules": [
                "All modules"
              ],
              "product": "BIG-IP",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "17.0.0.2",
                  "status": "affected",
                  "version": "17.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.1.3.3",
                  "status": "affected",
                  "version": "16.1.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "BIG-IP SPK",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2023-02-01T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\u003cbr\u003e"
                }
              ],
              "value": "On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-01T17:56:15.585Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "url": "https://my.f5.com/manage/s/article/K56676554"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "BIG-IP HTTP/2 profile vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2023-22664",
        "datePublished": "2023-02-01T17:56:15.585Z",
        "dateReserved": "2023-01-13T06:43:37.176Z",
        "dateUpdated": "2025-03-26T17:48:59.560Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2002-20001 (GCVE-0-2002-20001)

    Vulnerability from cvelistv5 – Published: 2021-11-11 00:00 – Updated: 2025-02-13 16:27
    VLAI
    Summary
    The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-08T04:06:55.288Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Balasys/dheater"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.reddit.com/r/netsec/comments/qdoosy/server_overload_by_enforcing_dhe_key_exchange/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/mozilla/ssl-config-generator/issues/162"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.suse.com/support/kb/doc/?id=000020510"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K83120834"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://dheatattack.com"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gitlab.com/dheatattack/dheater"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://dheatattack.gitlab.io/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://ieeexplore.ieee.org/document/10374117"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-23T06:51:09.585Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/Balasys/dheater"
            },
            {
              "url": "https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol"
            },
            {
              "url": "https://www.reddit.com/r/netsec/comments/qdoosy/server_overload_by_enforcing_dhe_key_exchange/"
            },
            {
              "url": "https://github.com/mozilla/ssl-config-generator/issues/162"
            },
            {
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf"
            },
            {
              "url": "https://www.suse.com/support/kb/doc/?id=000020510"
            },
            {
              "url": "https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/"
            },
            {
              "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt"
            },
            {
              "url": "https://support.f5.com/csp/article/K83120834"
            },
            {
              "url": "https://dheatattack.com"
            },
            {
              "url": "https://gitlab.com/dheatattack/dheater"
            },
            {
              "url": "https://dheatattack.gitlab.io/"
            },
            {
              "url": "https://ieeexplore.ieee.org/document/10374117"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2002-20001",
        "datePublished": "2021-11-11T00:00:00.000Z",
        "dateReserved": "2021-11-11T00:00:00.000Z",
        "dateUpdated": "2025-02-13T16:27:06.803Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }