βΌ CVE-2021-22979 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned and allows an attacker to execute JavaScript in the context of the current logged-in user. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22976 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP Advanced WAF and ASM version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and all 12.1.x versions, when the BIG-IP ASM system processes WebSocket requests with JSON payloads, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20412 (security_verify_information_queue) βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Information Queue 1.0.6 and 1.0.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 198192.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22985 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP APM version 16.0.x before 16.0.1.1, under certain conditions, when processing VPN traffic with APM, TMM consumes excessive memory. A malicious, authenticated VPN user may abuse this to perform a DoS attack against the APM. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22974 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of BIG-IQ 7.x and 6.x, an authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level. This vulnerability is due to an incomplete fix for CVE-2017-6167. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22975 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, and 14.1.x before 14.1.3.1, under some circumstances, Traffic Management Microkernel (TMM) may restart on the BIG-IP system while passing large bursts of traffic. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22982 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP DNS and GTM version 13.1.x before 13.1.0.4, and all versions of 12.1.x and 11.6.x, big3d does not securely handle and parse certain payloads resulting in a buffer overflow. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20406 (security_verify_information_queue) βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Information Queue 1.0.6 and 1.0.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 198184.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20410 (security_verify_information_queue) βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Information Queue 1.0.6 and 1.0.7 sends user credentials in plain clear text which can be read by an authenticated user using man in the middle techniques. IBM X-Force ID: 198190.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20411 (security_verify_information_queue) βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user to impersonate another user on the system due to incorrectly updating the session identifier. IBM X-Force ID: 198191.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20409 (security_verify_information_queue) βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 198188.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22980 βΌ
π Read
via "National Vulnerability Database".
In Edge Client version 7.2.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, and 7.1.x-7.1.8.x before 7.1.8.5, an untrusted search path vulnerability in the BIG-IP APM Client Troubleshooting Utility (CTU) for Windows could allow an attacker to load a malicious DLL library from its current directory. User interaction is required to exploit this vulnerability in that the victim must run this utility on the Windows system. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22981 βΌ
π Read
via "National Vulnerability Database".
On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret (EMS) extension defined in RFC 7627. TLS connections that do not use EMS are vulnerable to man-in-the-middle attacks during renegotiation. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20408 (security_verify_information_queue) βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Information Queue 1.0.6 and 1.0.7 could disclose highly sensitive information to a local user due to inproper storage of a plaintext cryptographic key. IBM X-Force ID: 198187.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20407 (security_verify_information_queue) βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Information Queue 1.0.6 and 1.0.7 discloses sensitive information in source code that could be used in further attacks against the system. IBM X-Force ID: 198185.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22973 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x versions, JSON parser function does not protect against out-of-bounds memory accesses or writes. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22983 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP AFM version 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.5, authenticated users accessing the Configuration utility for AFM are vulnerable to a cross-site scripting attack if they attempt to access a maliciously-crafted URL. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".
β Yandex Data Breach Exposes 4K+ Email Accounts β
π Read
via "Threat Post".
In a security notice, Yandex said an employee had been providing unauthorized access to usersβ email accounts βfor personal gain.βπ Read
via "Threat Post".
Threat Post
Yandex Data Breach Exposes 4K+ Email Accounts
In a security notice, Yandex said an employee had been providing unauthorized access to usersβ email accounts βfor personal gain.β
β mHealth Apps Expose Millions to Cyberattacks β
π Read
via "Threat Post".
Researcher testing of 30 mobile health apps for clinicians found that all of them had vulnerable APIs.π Read
via "Threat Post".
Threat Post
mHealth Apps Expose Millions to Cyberattacks
Researcher testing of 30 mobile health apps for clinicians found that all of them had vulnerable APIs.
π¦Ώ US Court system demands massive changes to court documents after SolarWinds hack π¦Ώ
π Read
via "Tech Republic".
Multiple senators have demanded a hearing on what court officials know about the hackers' access to sensitive filings. The effects could make accessing documents harder for lawyers.π Read
via "Tech Republic".
TechRepublic
US Court system demands massive changes to court documents after SolarWinds hack
Multiple senators have demanded a hearing on what court officials know about the hackers' access to sensitive filings. The effects could make accessing documents harder for lawyers.
βΌ CVE-2021-22977 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to restart and generate a core file. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.π Read
via "National Vulnerability Database".