cvelistv5 - cve-2023-40534

CVE-2023-40534 (GCVE-0-2023-40534)

Vulnerability from cvelistv5 – Published: 2023-10-10 12:32 – Updated: 2024-09-19 13:48

Summary

When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

References

URL

Tags

https://my.f5.com/manage/s/article/K000133467

vendor-advisory

Impacted products

Vendor

Product

Version

BIG-IP

Affected: 17.1.0 , < 17.1.0.3.0.23.4-ENG (semver)
Affected: 16.1.0 , < 16.1.4.1.0.13.5-ENG (semver)
Unaffected: 15.1.0 , < * (semver)
Unaffected: 14.1.0 , < * (semver)
Unaffected: 13.1.0 , < * (semver)

BIG-IP Next SPK

Affected: 1.6.0 , < * (semver)

Credits

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:38:50.458Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://my.f5.com/manage/s/article/K000133467"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-40534",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-19T13:48:25.662031Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-19T13:48:43.571Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "All Modules"
          ],
          "product": "BIG-IP",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "17.1.0.3.0.23.4-ENG",
              "status": "affected",
              "version": "17.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.1.4.1.0.13.5-ENG",
              "status": "affected",
              "version": "16.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "15.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "14.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "13.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "BIG-IP Next SPK",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "1.6.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "F5"
        }
      ],
      "datePublic": "2023-10-18T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-10T12:32:37.830Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000133467"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "BIG-IP HTTP/2 vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2023-40534",
    "datePublished": "2023-10-10T12:32:37.830Z",
    "dateReserved": "2023-10-05T19:17:25.722Z",
    "dateUpdated": "2024-09-19T13:48:43.571Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"92F10A0D-A487-4B2A-ADF7-4AB3C5A98001\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0A8D90B7-A1AF-4EFB-B688-1563D81E5C6D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"2ADC24ED-14A3-4F96-A6DA-5A2FDC60A71B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1A1CC91B-6920-4AF0-9EDD-DD3189E78F4D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"E42EBA0A-EC53-4885-9AFD-AFF83224214C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1769D69A-CB59-46B1-89B3-FB97DC6DEB9B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"5E49638F-30AA-4112-8F6F-13F013F9E72B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_analytics:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"59203EBF-C52A-45A1-B8DF-00E17E3EFB51\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"3823874E-B0C1-4F7B-B1E7-1423C371E79C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5C698C1C-A3DD-46E2-B05A-12F2604E7F85\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"C175FBF7-CF8D-48C2-B604-AC766AE3ECAD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_application_security_manager:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"87670A74-34FE-45DF-A725-25B804C845B3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"C509C00E-2C92-4905-BD2D-22B5BDDDE4EE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"67DB21AE-DF53-442D-B492-C4ED9A20B105\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"FAD1751B-9818-474E-B970-719CE1AEA782\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_carrier-grade_nat:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7BC1D037-74D2-4F92-89AD-C90F6CBF440B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"9A519F4C-D469-47A0-9F61-2EE33976177D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7B235A78-649B-46C5-B24B-AB485A884654\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"69DE4021-B15C-4310-8898-E4EC3EC0DA60\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_domain_name_system:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"84D00768-E71B-4FF7-A7BF-F2C8CFBC900D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"7A779434-C082-486E-8F65-587CE0BD1828\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_edge_gateway:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3F28D083-19BE-4584-A61A-85DD3CDC66BD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"67CAB7BF-AC42-4957-9F8F-59CACA30D0A3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_fraud_protection_service:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ABBD10E8-6054-408F-9687-B9BF6375CA09\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"11EA68F6-028C-4A63-AFB6-0B6F36F5EB8C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_global_traffic_manager:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"83794B04-87E2-4CA9-81F5-BB820D0F5395\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"16657185-FDAA-4DF4-A2A1-1B5BAF8697FB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_link_controller:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0A6E7035-3299-474F-8F67-945EA9A059D0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"04ABC7AA-1D2D-4954-863B-A417794B1F5B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_local_traffic_manager:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"56FB92F7-FF1E-425D-A5AB-9D9FB0BB9450\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.6.0\", \"versionEndIncluding\": \"1.8.2\", \"matchCriteriaId\": \"5190BFD8-0F6C-4CAF-9589-7CD8A589CDC3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"957276C7-DA88-44F1-AB18-AA39DC1BF9B4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"667EB77B-DA13-4BA4-9371-EE3F3A109F38\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"D6D0A641-7EF3-4F9E-9503-4A202E04102A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_ssl_orchestrator:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C446827A-1F71-4FAD-9422-580642D26AD1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"095E5580-CF33-45EB-90DB-1EB4F0C0DFCA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_webaccelerator:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3D1B2000-C3FE-4B4C-885A-A5076EB164E1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.4.1\", \"matchCriteriaId\": \"D097C6A6-5C8D-4275-B0CD-3947E11AA5B1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:big-ip_websafe:17.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8AB23AE6-245E-43D6-B832-933F8259F937\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\"}, {\"lang\": \"es\", \"value\": \"Cuando un perfil HTTP/2 del lado del cliente y la opci\\u00f3n HTTP MRF Router est\\u00e1n habilitadas para un servidor virtual, y una iRule que utiliza el evento HTTP_REQUEST o la Pol\\u00edtica de Tr\\u00e1fico Local est\\u00e1 asociada con el servidor virtual, las solicitudes no divulgadas pueden provocar la finalizaci\\u00f3n de TMM. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se eval\\u00faan.\"}]",
      "id": "CVE-2023-40534",
      "lastModified": "2024-11-21T08:19:40.007",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"f5sirt@f5.com\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2023-10-10T13:15:20.730",
      "references": "[{\"url\": \"https://my.f5.com/manage/s/article/K000133467\", \"source\": \"f5sirt@f5.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://my.f5.com/manage/s/article/K000133467\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "f5sirt@f5.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"f5sirt@f5.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-401\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-40534\",\"sourceIdentifier\":\"f5sirt@f5.com\",\"published\":\"2023-10-10T13:15:20.730\",\"lastModified\":\"2024-11-21T08:19:40.007\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\"},{\"lang\":\"es\",\"value\":\"Cuando un perfil HTTP/2 del lado del cliente y la opci\u00f3n HTTP MRF Router est\u00e1n habilitadas para un servidor virtual, y una iRule que utiliza el evento HTTP_REQUEST o la Pol\u00edtica de Tr\u00e1fico Local est\u00e1 asociada con el servidor virtual, las solicitudes no divulgadas pueden provocar la finalizaci\u00f3n de TMM. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se eval\u00faan.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-401\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"92F10A0D-A487-4B2A-ADF7-4AB3C5A98001\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0A8D90B7-A1AF-4EFB-B688-1563D81E5C6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"2ADC24ED-14A3-4F96-A6DA-5A2FDC60A71B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A1CC91B-6920-4AF0-9EDD-DD3189E78F4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"E42EBA0A-EC53-4885-9AFD-AFF83224214C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1769D69A-CB59-46B1-89B3-FB97DC6DEB9B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"5E49638F-30AA-4112-8F6F-13F013F9E72B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_analytics:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59203EBF-C52A-45A1-B8DF-00E17E3EFB51\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"3823874E-B0C1-4F7B-B1E7-1423C371E79C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C698C1C-A3DD-46E2-B05A-12F2604E7F85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"C175FBF7-CF8D-48C2-B604-AC766AE3ECAD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_security_manager:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"87670A74-34FE-45DF-A725-25B804C845B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"C509C00E-2C92-4905-BD2D-22B5BDDDE4EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"67DB21AE-DF53-442D-B492-C4ED9A20B105\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"FAD1751B-9818-474E-B970-719CE1AEA782\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_carrier-grade_nat:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7BC1D037-74D2-4F92-89AD-C90F6CBF440B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"9A519F4C-D469-47A0-9F61-2EE33976177D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B235A78-649B-46C5-B24B-AB485A884654\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"69DE4021-B15C-4310-8898-E4EC3EC0DA60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_domain_name_system:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"84D00768-E71B-4FF7-A7BF-F2C8CFBC900D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"7A779434-C082-486E-8F65-587CE0BD1828\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_edge_gateway:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F28D083-19BE-4584-A61A-85DD3CDC66BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"67CAB7BF-AC42-4957-9F8F-59CACA30D0A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_fraud_protection_service:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ABBD10E8-6054-408F-9687-B9BF6375CA09\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"11EA68F6-028C-4A63-AFB6-0B6F36F5EB8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_global_traffic_manager:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"83794B04-87E2-4CA9-81F5-BB820D0F5395\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"16657185-FDAA-4DF4-A2A1-1B5BAF8697FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_link_controller:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0A6E7035-3299-474F-8F67-945EA9A059D0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"04ABC7AA-1D2D-4954-863B-A417794B1F5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_local_traffic_manager:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"56FB92F7-FF1E-425D-A5AB-9D9FB0BB9450\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.6.0\",\"versionEndIncluding\":\"1.8.2\",\"matchCriteriaId\":\"5190BFD8-0F6C-4CAF-9589-7CD8A589CDC3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"957276C7-DA88-44F1-AB18-AA39DC1BF9B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"667EB77B-DA13-4BA4-9371-EE3F3A109F38\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"D6D0A641-7EF3-4F9E-9503-4A202E04102A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_ssl_orchestrator:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C446827A-1F71-4FAD-9422-580642D26AD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"095E5580-CF33-45EB-90DB-1EB4F0C0DFCA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_webaccelerator:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D1B2000-C3FE-4B4C-885A-A5076EB164E1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.4.1\",\"matchCriteriaId\":\"D097C6A6-5C8D-4275-B0CD-3947E11AA5B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_websafe:17.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8AB23AE6-245E-43D6-B832-933F8259F937\"}]}]}],\"references\":[{\"url\":\"https://my.f5.com/manage/s/article/K000133467\",\"source\":\"f5sirt@f5.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://my.f5.com/manage/s/article/K000133467\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://my.f5.com/manage/s/article/K000133467\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T18:38:50.458Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-40534\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-19T13:48:25.662031Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-19T13:48:33.667Z\"}}], \"cna\": {\"title\": \"BIG-IP HTTP/2 vulnerability\", \"source\": {\"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"F5\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"F5\", \"modules\": [\"All Modules\"], \"product\": \"BIG-IP\", \"versions\": [{\"status\": \"affected\", \"version\": \"17.1.0\", \"lessThan\": \"17.1.0.3.0.23.4-ENG\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"16.1.0\", \"lessThan\": \"16.1.4.1.0.13.5-ENG\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"15.1.0\", \"lessThan\": \"*\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"14.1.0\", \"lessThan\": \"*\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"13.1.0\", \"lessThan\": \"*\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"F5\", \"product\": \"BIG-IP Next SPK\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.6.0\", \"lessThan\": \"*\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2023-10-18T14:00:00.000Z\", \"references\": [{\"url\": \"https://my.f5.com/manage/s/article/K000133467\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"F5 SIRTBot v1.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eWhen a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-401\", \"description\": \"CWE-401 Missing Release of Memory after Effective Lifetime\"}]}], \"providerMetadata\": {\"orgId\": \"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab\", \"shortName\": \"f5\", \"dateUpdated\": \"2023-10-10T12:32:37.830Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-40534\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-19T13:48:43.571Z\", \"dateReserved\": \"2023-10-05T19:17:25.722Z\", \"assignerOrgId\": \"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab\", \"datePublished\": \"2023-10-10T12:32:37.830Z\", \"assignerShortName\": \"f5\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2023-40534

Vulnerability from fkie_nvd - Published: 2023-10-10 13:15 - Updated: 2024-11-21 08:19

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	f5sirt@f5.com	https://my.f5.com/manage/s/article/K000133467	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://my.f5.com/manage/s/article/K000133467	Vendor Advisory

Impacted products

Vendor	Product	Version
f5	big-ip_access_policy_manager	*
f5	big-ip_access_policy_manager	17.1.0
f5	big-ip_advanced_firewall_manager	*
f5	big-ip_advanced_firewall_manager	17.1.0
f5	big-ip_advanced_web_application_firewall	*
f5	big-ip_advanced_web_application_firewall	17.1.0
f5	big-ip_analytics	*
f5	big-ip_analytics	17.1.0
f5	big-ip_application_acceleration_manager	*
f5	big-ip_application_acceleration_manager	17.1.0
f5	big-ip_application_security_manager	*
f5	big-ip_application_security_manager	17.1.0
f5	big-ip_application_visibility_and_reporting	*
f5	big-ip_application_visibility_and_reporting	17.1.0
f5	big-ip_carrier-grade_nat	*
f5	big-ip_carrier-grade_nat	17.1.0
f5	big-ip_ddos_hybrid_defender	*
f5	big-ip_ddos_hybrid_defender	17.1.0
f5	big-ip_domain_name_system	*
f5	big-ip_domain_name_system	17.1.0
f5	big-ip_edge_gateway	*
f5	big-ip_edge_gateway	17.1.0
f5	big-ip_fraud_protection_service	*
f5	big-ip_fraud_protection_service	17.1.0
f5	big-ip_global_traffic_manager	*
f5	big-ip_global_traffic_manager	17.1.0
f5	big-ip_link_controller	*
f5	big-ip_link_controller	17.1.0
f5	big-ip_local_traffic_manager	*
f5	big-ip_local_traffic_manager	17.1.0
f5	big-ip_next_service_proxy_for_kubernetes	*
f5	big-ip_policy_enforcement_manager	*
f5	big-ip_policy_enforcement_manager	17.1.0
f5	big-ip_ssl_orchestrator	*
f5	big-ip_ssl_orchestrator	17.1.0
f5	big-ip_webaccelerator	*
f5	big-ip_webaccelerator	17.1.0
f5	big-ip_websafe	*
f5	big-ip_websafe	17.1.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "92F10A0D-A487-4B2A-ADF7-4AB3C5A98001",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A8D90B7-A1AF-4EFB-B688-1563D81E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2ADC24ED-14A3-4F96-A6DA-5A2FDC60A71B",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1A1CC91B-6920-4AF0-9EDD-DD3189E78F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E42EBA0A-EC53-4885-9AFD-AFF83224214C",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1769D69A-CB59-46B1-89B3-FB97DC6DEB9B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5E49638F-30AA-4112-8F6F-13F013F9E72B",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_analytics:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "59203EBF-C52A-45A1-B8DF-00E17E3EFB51",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3823874E-B0C1-4F7B-B1E7-1423C371E79C",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C698C1C-A3DD-46E2-B05A-12F2604E7F85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C175FBF7-CF8D-48C2-B604-AC766AE3ECAD",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "87670A74-34FE-45DF-A725-25B804C845B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C509C00E-2C92-4905-BD2D-22B5BDDDE4EE",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "67DB21AE-DF53-442D-B492-C4ED9A20B105",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FAD1751B-9818-474E-B970-719CE1AEA782",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7BC1D037-74D2-4F92-89AD-C90F6CBF440B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A519F4C-D469-47A0-9F61-2EE33976177D",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B235A78-649B-46C5-B24B-AB485A884654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "69DE4021-B15C-4310-8898-E4EC3EC0DA60",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "84D00768-E71B-4FF7-A7BF-F2C8CFBC900D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7A779434-C082-486E-8F65-587CE0BD1828",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_edge_gateway:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3F28D083-19BE-4584-A61A-85DD3CDC66BD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "67CAB7BF-AC42-4957-9F8F-59CACA30D0A3",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABBD10E8-6054-408F-9687-B9BF6375CA09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "11EA68F6-028C-4A63-AFB6-0B6F36F5EB8C",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "83794B04-87E2-4CA9-81F5-BB820D0F5395",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "16657185-FDAA-4DF4-A2A1-1B5BAF8697FB",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_link_controller:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A6E7035-3299-474F-8F67-945EA9A059D0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "04ABC7AA-1D2D-4954-863B-A417794B1F5B",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "56FB92F7-FF1E-425D-A5AB-9D9FB0BB9450",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5190BFD8-0F6C-4CAF-9589-7CD8A589CDC3",
              "versionEndIncluding": "1.8.2",
              "versionStartIncluding": "1.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "957276C7-DA88-44F1-AB18-AA39DC1BF9B4",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "667EB77B-DA13-4BA4-9371-EE3F3A109F38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D6D0A641-7EF3-4F9E-9503-4A202E04102A",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C446827A-1F71-4FAD-9422-580642D26AD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "095E5580-CF33-45EB-90DB-1EB4F0C0DFCA",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D1B2000-C3FE-4B4C-885A-A5076EB164E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D097C6A6-5C8D-4275-B0CD-3947E11AA5B1",
              "versionEndExcluding": "16.1.4.1",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_websafe:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8AB23AE6-245E-43D6-B832-933F8259F937",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
    },
    {
      "lang": "es",
      "value": "Cuando un perfil HTTP/2 del lado del cliente y la opci\u00f3n HTTP MRF Router est\u00e1n habilitadas para un servidor virtual, y una iRule que utiliza el evento HTTP_REQUEST o la Pol\u00edtica de Tr\u00e1fico Local est\u00e1 asociada con el servidor virtual, las solicitudes no divulgadas pueden provocar la finalizaci\u00f3n de TMM. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se eval\u00faan."
    }
  ],
  "id": "CVE-2023-40534",
  "lastModified": "2024-11-21T08:19:40.007",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "f5sirt@f5.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-10T13:15:20.730",
  "references": [
    {
      "source": "f5sirt@f5.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://my.f5.com/manage/s/article/K000133467"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://my.f5.com/manage/s/article/K000133467"
    }
  ],
  "sourceIdentifier": "f5sirt@f5.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "f5sirt@f5.com",
      "type": "Primary"
    }
  ]
}

CNVD-2023-75605

Vulnerability from cnvd - Published: 2023-10-11

Title

F5 BIG-IP HTTP/2服务拒绝漏洞

Description

F5 BIG-IP是F5公司的一款集成了网络流量编排、负载均衡、智能DNS，远程接入策略管理等功能的应用交付平台。 F5 BIG-IP HTTP/2存在服务拒绝漏洞，攻击者可利用该漏洞导致TMM终止。

Severity

高

Patch Name

F5 BIG-IP HTTP/2服务拒绝漏洞的补丁

Patch Description

F5 BIG-IP是F5公司的一款集成了网络流量编排、负载均衡、智能DNS，远程接入策略管理等功能的应用交付平台。 F5 BIG-IP HTTP/2存在服务拒绝漏洞，攻击者可利用该漏洞导致TMM终止。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://my.f5.com/manage/s/article/K000137053

Reference

https://my.f5.com/manage/s/article/K000137053

Impacted products

Name
['F5 BIG-IP (all modules) >=16.1.0，<=16.1.4', 'F5 BIG-IP (all modules) 17.1.0', 'F5 BIG-IP Next SPK >=1.6.0，<=1.8.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-40534",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-40534"
    }
  },
  "description": "F5 BIG-IP\u662fF5\u516c\u53f8\u7684\u4e00\u6b3e\u96c6\u6210\u4e86\u7f51\u7edc\u6d41\u91cf\u7f16\u6392\u3001\u8d1f\u8f7d\u5747\u8861\u3001\u667a\u80fdDNS\uff0c\u8fdc\u7a0b\u63a5\u5165\u7b56\u7565\u7ba1\u7406\u7b49\u529f\u80fd\u7684\u5e94\u7528\u4ea4\u4ed8\u5e73\u53f0\u3002\n\nF5 BIG-IP HTTP/2\u5b58\u5728\u670d\u52a1\u62d2\u7edd\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4TMM\u7ec8\u6b62\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://my.f5.com/manage/s/article/K000137053",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-75605",
  "openTime": "2023-10-11",
  "patchDescription": "F5 BIG-IP\u662fF5\u516c\u53f8\u7684\u4e00\u6b3e\u96c6\u6210\u4e86\u7f51\u7edc\u6d41\u91cf\u7f16\u6392\u3001\u8d1f\u8f7d\u5747\u8861\u3001\u667a\u80fdDNS\uff0c\u8fdc\u7a0b\u63a5\u5165\u7b56\u7565\u7ba1\u7406\u7b49\u529f\u80fd\u7684\u5e94\u7528\u4ea4\u4ed8\u5e73\u53f0\u3002\r\n\r\nF5 BIG-IP HTTP/2\u5b58\u5728\u670d\u52a1\u62d2\u7edd\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4TMM\u7ec8\u6b62\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "F5 BIG-IP HTTP/2\u670d\u52a1\u62d2\u7edd\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "F5 BIG-IP (all modules) \u003e=16.1.0\uff0c\u003c=16.1.4",
      "F5 BIG-IP (all modules) 17.1.0",
      "F5 BIG-IP Next SPK \u003e=1.6.0\uff0c\u003c=1.8.2"
    ]
  },
  "referenceLink": "https://my.f5.com/manage/s/article/K000137053",
  "serverity": "\u9ad8",
  "submitTime": "2023-10-11",
  "title": "F5 BIG-IP HTTP/2\u670d\u52a1\u62d2\u7edd\u6f0f\u6d1e"
}

GSD-2023-40534

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-40534

Aliases

CVE-2023-40534

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-40534",
    "id": "GSD-2023-40534"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-40534"
      ],
      "details": "When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
      "id": "GSD-2023-40534",
      "modified": "2023-12-13T01:20:43.512200Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "f5sirt@f5.com",
        "ID": "CVE-2023-40534",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "BIG-IP",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "unknown",
                            "versions": [
                              {
                                "lessThan": "17.1.0.3.0.23.4-ENG",
                                "status": "affected",
                                "version": "17.1.0",
                                "versionType": "semver"
                              },
                              {
                                "lessThan": "16.1.4.1.0.13.5-ENG",
                                "status": "affected",
                                "version": "16.1.0",
                                "versionType": "semver"
                              },
                              {
                                "lessThan": "*",
                                "status": "unaffected",
                                "version": "15.1.0",
                                "versionType": "semver"
                              },
                              {
                                "lessThan": "*",
                                "status": "unaffected",
                                "version": "14.1.0",
                                "versionType": "semver"
                              },
                              {
                                "lessThan": "*",
                                "status": "unaffected",
                                "version": "13.1.0",
                                "versionType": "semver"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "BIG-IP Next SPK",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.6.0",
                          "version_value": "*"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "F5"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "F5"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
          }
        ]
      },
      "generator": {
        "engine": "F5 SIRTBot v1.0"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-401",
                "lang": "eng",
                "value": "CWE-401 Missing Release of Memory after Effective Lifetime"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://my.f5.com/manage/s/article/K000133467",
            "refsource": "MISC",
            "url": "https://my.f5.com/manage/s/article/K000133467"
          }
        ]
      },
      "source": {
        "discovery": "INTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_analytics:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_application_security_manager:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_domain_name_system:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_edge_gateway:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_fraud_protection_service:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_global_traffic_manager:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_link_controller:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_local_traffic_manager:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_webaccelerator:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_websafe:17.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.4.1",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.8.2",
                "versionStartIncluding": "1.6.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "f5sirt@f5.com",
          "ID": "CVE-2023-40534"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-401"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://my.f5.com/manage/s/article/K000133467",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://my.f5.com/manage/s/article/K000133467"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-10-19T16:08Z",
      "publishedDate": "2023-10-10T13:15Z"
    }
  }
}

CERTFR-2023-AVI-0837

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits F5. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
F5	NGINX	NGINX OSS versions 1.9.5 à 1.25.2
F5	BIG-IP	BIG-IP (tous modules) versions 16.1.x antérieures à 16.1.4.1 avec le correctif de sécurité Hotfix-BIGIP-16.1.4.1.0.13.5-ENG
F5	BIG-IQ	BIG-IQ Centralized Management versions 8.0.0 à 8.3.0 antérieures à 8.3.0 avec le correctif Hotfix-BIG-IQ-8.3.0.0.12.118-ENG
F5	BIG-IP Next	BIG-IP Next SPK versions 1.5.0 à 1.8.2
F5	BIG-IP	BIG-IP (APM) versions 16.1.0 à 16.1.3 antérieures à 16.1.4
F5	NGINX Ingress Controller	NGINX Ingress Controller versions 3.0.0 à 3.3.0
F5	BIG-IP	BIG-IP (Advanced WAF/ASM) versions 16.1.x antérieures à 16.1.4
F5	NGINX Plus	NGINX Plus verions R25 à R30 antérieures à R30 P1
F5	BIG-IP	BIG-IP (DNS, LTM avec le license DNS Services activée) versions 13.1.x, 14.1.x, 15.1.x antérieures à 15.1.9
F5	NGINX Ingress Controller	NGINX Ingress Controller versions 2.0.0 à 2.4.2
F5	BIG-IP	BIG-IP (DNS, LTM avec le license DNS Services activée) versions 16.1.x antérieures à 16.1.4
F5	NGINX Ingress Controller	NGINX Ingress Controller versions 1.12.2 à 1.12.5
F5	BIG-IP Next	BIG-IP Next CNF versions 1.1.0 à 1.1.1
F5	NGINX	NGINX App Protect WAF versions 3.3.0 à 3.12.2 et 4.x antérieures à 4.2.0
F5	BIG-IP	BIG-IP (Advanced WAF/ASM) versions 13.1.x, 14.1.x, 15.1.x antérieures à 15.1.9
F5	N/A	APM Clients versions 7.2.3.x, 7.2.4.x antérieures à 7.2.4.5
F5	BIG-IP Next	BIG-IP Next (tous modules) version 20.0.1
F5	BIG-IP	BIG-IP (tous modules) versions 13.1.x, 14.1.x, 15.1.x antérieures à 15.1.10.2
F5	BIG-IP	BIG-IP (tous modules) versions 17.1.x antérieures à 17.1.0.3 avec le correctif de sécurité Hotfix-BIGIP-17.1.0.3.0.23.4-ENG
F5	BIG-IP	BIG-IP (APM) versions 14.1.x, 15.1.x antérieures à 15.1.9

References

Title

Publication Time

Tags

Bulletin de sécurité F5 K000137053 du 10 octobre 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "NGINX OSS versions 1.9.5 \u00e0 1.25.2",
      "product": {
        "name": "NGINX",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (tous modules) versions 16.1.x ant\u00e9rieures \u00e0 16.1.4.1 avec le correctif de s\u00e9curit\u00e9 Hotfix-BIGIP-16.1.4.1.0.13.5-ENG",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IQ Centralized Management versions 8.0.0 \u00e0 8.3.0 ant\u00e9rieures \u00e0 8.3.0 avec le correctif Hotfix-BIG-IQ-8.3.0.0.12.118-ENG",
      "product": {
        "name": "BIG-IQ",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Next SPK versions 1.5.0 \u00e0 1.8.2",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (APM) versions 16.1.0 \u00e0 16.1.3 ant\u00e9rieures \u00e0 16.1.4",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX Ingress Controller versions 3.0.0 \u00e0 3.3.0",
      "product": {
        "name": "NGINX Ingress Controller",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (Advanced WAF/ASM) versions 16.1.x ant\u00e9rieures \u00e0 16.1.4",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX Plus verions R25 \u00e0 R30 ant\u00e9rieures \u00e0 R30 P1",
      "product": {
        "name": "NGINX Plus",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (DNS, LTM avec le license DNS Services activ\u00e9e) versions 13.1.x, 14.1.x, 15.1.x ant\u00e9rieures \u00e0 15.1.9",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX Ingress Controller versions 2.0.0 \u00e0 2.4.2",
      "product": {
        "name": "NGINX Ingress Controller",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (DNS, LTM avec le license DNS Services activ\u00e9e) versions 16.1.x ant\u00e9rieures \u00e0 16.1.4",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX Ingress Controller versions 1.12.2 \u00e0 1.12.5",
      "product": {
        "name": "NGINX Ingress Controller",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Next CNF versions 1.1.0 \u00e0 1.1.1",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX App Protect WAF versions 3.3.0 \u00e0 3.12.2 et 4.x ant\u00e9rieures \u00e0 4.2.0",
      "product": {
        "name": "NGINX",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (Advanced WAF/ASM) versions 13.1.x, 14.1.x, 15.1.x ant\u00e9rieures \u00e0 15.1.9",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "APM Clients versions 7.2.3.x, 7.2.4.x ant\u00e9rieures \u00e0 7.2.4.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Next (tous modules) version 20.0.1",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (tous modules) versions 13.1.x, 14.1.x, 15.1.x ant\u00e9rieures \u00e0 15.1.10.2",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (tous modules) versions 17.1.x ant\u00e9rieures \u00e0 17.1.0.3 avec le correctif de s\u00e9curit\u00e9 Hotfix-BIGIP-17.1.0.3.0.23.4-ENG",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (APM) versions 14.1.x, 15.1.x ant\u00e9rieures \u00e0 15.1.9",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-40542",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40542"
    },
    {
      "name": "CVE-2023-5450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5450"
    },
    {
      "name": "CVE-2023-41373",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41373"
    },
    {
      "name": "CVE-2023-43746",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43746"
    },
    {
      "name": "CVE-2023-40537",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40537"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2023-41085",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41085"
    },
    {
      "name": "CVE-2023-41253",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41253"
    },
    {
      "name": "CVE-2023-42768",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-42768"
    },
    {
      "name": "CVE-2023-43611",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43611"
    },
    {
      "name": "CVE-2023-45226",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45226"
    },
    {
      "name": "CVE-2023-45219",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45219"
    },
    {
      "name": "CVE-2023-41964",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41964"
    },
    {
      "name": "CVE-2023-39447",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-39447"
    },
    {
      "name": "CVE-2023-40534",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40534"
    },
    {
      "name": "CVE-2023-43485",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43485"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0837",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-10-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits F5.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits F5",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 F5 K000137053 du 10 octobre 2023",
      "url": "https://my.f5.com/manage/s/article/K000137053"
    }
  ]
}

CERTFR-2023-AVI-0837

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
F5	NGINX	NGINX OSS versions 1.9.5 à 1.25.2
F5	BIG-IP	BIG-IP (tous modules) versions 16.1.x antérieures à 16.1.4.1 avec le correctif de sécurité Hotfix-BIGIP-16.1.4.1.0.13.5-ENG
F5	BIG-IQ	BIG-IQ Centralized Management versions 8.0.0 à 8.3.0 antérieures à 8.3.0 avec le correctif Hotfix-BIG-IQ-8.3.0.0.12.118-ENG
F5	BIG-IP Next	BIG-IP Next SPK versions 1.5.0 à 1.8.2
F5	BIG-IP	BIG-IP (APM) versions 16.1.0 à 16.1.3 antérieures à 16.1.4
F5	NGINX Ingress Controller	NGINX Ingress Controller versions 3.0.0 à 3.3.0
F5	BIG-IP	BIG-IP (Advanced WAF/ASM) versions 16.1.x antérieures à 16.1.4
F5	NGINX Plus	NGINX Plus verions R25 à R30 antérieures à R30 P1
F5	BIG-IP	BIG-IP (DNS, LTM avec le license DNS Services activée) versions 13.1.x, 14.1.x, 15.1.x antérieures à 15.1.9
F5	NGINX Ingress Controller	NGINX Ingress Controller versions 2.0.0 à 2.4.2
F5	BIG-IP	BIG-IP (DNS, LTM avec le license DNS Services activée) versions 16.1.x antérieures à 16.1.4
F5	NGINX Ingress Controller	NGINX Ingress Controller versions 1.12.2 à 1.12.5
F5	BIG-IP Next	BIG-IP Next CNF versions 1.1.0 à 1.1.1
F5	NGINX	NGINX App Protect WAF versions 3.3.0 à 3.12.2 et 4.x antérieures à 4.2.0
F5	BIG-IP	BIG-IP (Advanced WAF/ASM) versions 13.1.x, 14.1.x, 15.1.x antérieures à 15.1.9
F5	N/A	APM Clients versions 7.2.3.x, 7.2.4.x antérieures à 7.2.4.5
F5	BIG-IP Next	BIG-IP Next (tous modules) version 20.0.1
F5	BIG-IP	BIG-IP (tous modules) versions 13.1.x, 14.1.x, 15.1.x antérieures à 15.1.10.2
F5	BIG-IP	BIG-IP (tous modules) versions 17.1.x antérieures à 17.1.0.3 avec le correctif de sécurité Hotfix-BIGIP-17.1.0.3.0.23.4-ENG
F5	BIG-IP	BIG-IP (APM) versions 14.1.x, 15.1.x antérieures à 15.1.9

References

Title

Publication Time

Tags

Bulletin de sécurité F5 K000137053 du 10 octobre 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "NGINX OSS versions 1.9.5 \u00e0 1.25.2",
      "product": {
        "name": "NGINX",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (tous modules) versions 16.1.x ant\u00e9rieures \u00e0 16.1.4.1 avec le correctif de s\u00e9curit\u00e9 Hotfix-BIGIP-16.1.4.1.0.13.5-ENG",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IQ Centralized Management versions 8.0.0 \u00e0 8.3.0 ant\u00e9rieures \u00e0 8.3.0 avec le correctif Hotfix-BIG-IQ-8.3.0.0.12.118-ENG",
      "product": {
        "name": "BIG-IQ",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Next SPK versions 1.5.0 \u00e0 1.8.2",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (APM) versions 16.1.0 \u00e0 16.1.3 ant\u00e9rieures \u00e0 16.1.4",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX Ingress Controller versions 3.0.0 \u00e0 3.3.0",
      "product": {
        "name": "NGINX Ingress Controller",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (Advanced WAF/ASM) versions 16.1.x ant\u00e9rieures \u00e0 16.1.4",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX Plus verions R25 \u00e0 R30 ant\u00e9rieures \u00e0 R30 P1",
      "product": {
        "name": "NGINX Plus",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (DNS, LTM avec le license DNS Services activ\u00e9e) versions 13.1.x, 14.1.x, 15.1.x ant\u00e9rieures \u00e0 15.1.9",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX Ingress Controller versions 2.0.0 \u00e0 2.4.2",
      "product": {
        "name": "NGINX Ingress Controller",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (DNS, LTM avec le license DNS Services activ\u00e9e) versions 16.1.x ant\u00e9rieures \u00e0 16.1.4",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX Ingress Controller versions 1.12.2 \u00e0 1.12.5",
      "product": {
        "name": "NGINX Ingress Controller",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Next CNF versions 1.1.0 \u00e0 1.1.1",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX App Protect WAF versions 3.3.0 \u00e0 3.12.2 et 4.x ant\u00e9rieures \u00e0 4.2.0",
      "product": {
        "name": "NGINX",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (Advanced WAF/ASM) versions 13.1.x, 14.1.x, 15.1.x ant\u00e9rieures \u00e0 15.1.9",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "APM Clients versions 7.2.3.x, 7.2.4.x ant\u00e9rieures \u00e0 7.2.4.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Next (tous modules) version 20.0.1",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (tous modules) versions 13.1.x, 14.1.x, 15.1.x ant\u00e9rieures \u00e0 15.1.10.2",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (tous modules) versions 17.1.x ant\u00e9rieures \u00e0 17.1.0.3 avec le correctif de s\u00e9curit\u00e9 Hotfix-BIGIP-17.1.0.3.0.23.4-ENG",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (APM) versions 14.1.x, 15.1.x ant\u00e9rieures \u00e0 15.1.9",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-40542",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40542"
    },
    {
      "name": "CVE-2023-5450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5450"
    },
    {
      "name": "CVE-2023-41373",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41373"
    },
    {
      "name": "CVE-2023-43746",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43746"
    },
    {
      "name": "CVE-2023-40537",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40537"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2023-41085",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41085"
    },
    {
      "name": "CVE-2023-41253",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41253"
    },
    {
      "name": "CVE-2023-42768",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-42768"
    },
    {
      "name": "CVE-2023-43611",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43611"
    },
    {
      "name": "CVE-2023-45226",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45226"
    },
    {
      "name": "CVE-2023-45219",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45219"
    },
    {
      "name": "CVE-2023-41964",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41964"
    },
    {
      "name": "CVE-2023-39447",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-39447"
    },
    {
      "name": "CVE-2023-40534",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40534"
    },
    {
      "name": "CVE-2023-43485",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43485"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0837",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-10-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits F5.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits F5",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 F5 K000137053 du 10 octobre 2023",
      "url": "https://my.f5.com/manage/s/article/K000137053"
    }
  ]
}

GHSA-W99G-74QG-JCGF

Vulnerability from github – Published: 2023-10-10 15:30 – Updated: 2024-04-04 08:28

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-40534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-10T13:15:20Z",
    "severity": "HIGH"
  },
  "details": "When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-w99g-74qg-jcgf",
  "modified": "2024-04-04T08:28:54Z",
  "published": "2023-10-10T15:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40534"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000133467"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-40534 (GCVE-0-2023-40534)

FKIE_CVE-2023-40534

CNVD-2023-75605

GSD-2023-40534

CERTFR-2023-AVI-0837

Solution

CERTFR-2023-AVI-0837

Solution

GHSA-W99G-74QG-JCGF

Tags

Sightings

Nomenclature