Edit Content
Report Incident
English
Sinhala
Tamil

ADVISORY!

TLP : CLEAR

Date : 16/05/2024

REF NO : CERT / 2024/05/45

F5 Products Multiple Vulnerabilities

Severity Level: High

Components Affected

BIG-IP (AFM, Analytics, AAM, DNS, FPS, Link Controller, LTM, PEM, Advanced WAF, ASM)

  • 15.1.0 – 15.1.10
  • 16.1.0 – 16.1.4
  • 17.1.0 – 17.1.1

BIG-IQ Centralized Management

  • 8.1.0 – 8.3.0

Traffix SDC

  • 5.1.0

Overview

Multiple vulnerabilities were identified in F5 Products. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, information disclosure and data manipulation on the targeted system.

Description

  • CVE-2022-40304

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

  • CVE-2023-29469

An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the ‘\0’ value).

Impact

  • Denial of Service
  • Information Disclosure
  • Data Manipulation

Solution/ Workarounds

Before installation of the software, please visit the vendor web-site for more details.

Apply fixes issued by the vendor:

Apply workarounds issued by the vendor:

Workaround:

Reduce the vulnerability of attacks of CVE-2022-40304 by following workaround:

  • Do not allow Document Type Definition (DTD) validation in XML profiles or permit DTD validation in monitors or iRules that contain custom XML.

Reference

  1. https://my.f5.com/manage/s/article/K000139592
  2. https://my.f5.com/manage/s/article/K000139594

Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.

Sri Lanka Computer Emergency Readiness Team | Coordination Centre

Linkedin-in Facebook-f Twitter Youtube

Quick Links

Useful Links

Contact

  • Hotline : 101
  • +94 11 269 1692
  • Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
  • General inquiry: cert@cert.gov.lk
  • Security incidents: incidents@cert.gov.lk
  • Social media incidents: report@cert.gov.lk

Copyright © 2023 SRI LANKA CERT | CC