Big Ip Access Policy Manager Client F5 Networks Big Ip Access Policy Manager Client

Do you want an email whenever new security vulnerabilities are reported in F5 Networks Big Ip Access Policy Manager Client?

By the Year

In 2022 there have been 3 vulnerabilities in F5 Networks Big Ip Access Policy Manager Client with an average score of 6.2 out of ten. Last year Big Ip Access Policy Manager Client had 1 security vulnerability published. That is, 2 more vulnerabilities have already been reported in 2022 as compared to last year. Last year, the average CVE base score was greater by 1.60

Year Vulnerabilities Average Score
2022 3 6.20
2021 1 7.80
2020 5 6.50
2019 1 7.50
2018 2 6.65

It may take a day or so for new Big Ip Access Policy Manager Client vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent F5 Networks Big Ip Access Policy Manager Client Security Vulnerabilities

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2

CVE-2022-28714 7.8 - High - May 05, 2022

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, a DLL Hijacking vulnerability exists in the BIG-IP Edge Client Windows Installer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

DLL preloading

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2

CVE-2022-27636 5.5 - Medium - May 05, 2022

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, BIG-IP Edge Client may log sensitive APM session-related information when VPN is launched on a Windows system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Insertion of Sensitive Information into Log File

In all versions before 7.2.1.4

CVE-2022-23032 5.3 - Medium - January 25, 2022

In all versions before 7.2.1.4, when proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a DNS rebinding attack. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Origin Validation Error

On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1

CVE-2021-23022 7.8 - High - June 10, 2021

On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, the BIG-IP Edge Client Windows Installer Service's temporary folder has weak file and folder permissions. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Incorrect Permission Assignment for Critical Resource

On versions 7.1.5-7.1.9

CVE-2020-5896 7.8 - High - May 12, 2020

On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Service's temporary folder has weak file and folder permissions.

Incorrect Default Permissions

In versions 7.1.5-7.1.9

CVE-2020-5897 8.8 - High - May 12, 2020

In versions 7.1.5-7.1.9, there is use-after-free memory vulnerability in the BIG-IP Edge Client Windows ActiveX component.

Dangling pointer

In versions 7.1.5-7.1.9, BIG-IP Edge Client Windows Stonewall driver does not sanitize the pointer received from the userland

CVE-2020-5898 5.5 - Medium - May 12, 2020

In versions 7.1.5-7.1.9, BIG-IP Edge Client Windows Stonewall driver does not sanitize the pointer received from the userland. A local user on the Windows client system can send crafted DeviceIoControl requests to \\.\urvpndrv device causing the Windows kernel to crash.

In versions 7.1.5-7.1.8, the BIG-IP Edge Client components in BIG-IP APM, Edge Gateway, and FirePass legacy

CVE-2020-5892 6.7 - Medium - April 30, 2020

In versions 7.1.5-7.1.8, the BIG-IP Edge Client components in BIG-IP APM, Edge Gateway, and FirePass legacy allow attackers to obtain the full session ID from process memory.

Buffer Overflow

In versions 7.1.5-7.1.8

CVE-2020-5893 3.7 - Low - April 30, 2020

In versions 7.1.5-7.1.8, when a user connects to a VPN using BIG-IP Edge Client over an unsecure network, BIG-IP Edge Client responds to authentication requests over HTTP while sending probes for captive portal detection.

Information Disclosure

BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files

CVE-2019-6656 7.5 - High - September 25, 2019

BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files. Vulnerable versions of the client are bundled with BIG-IP APM versions 15.0.0-15.0.1, 14,1.0-14.1.0.6, 14.0.0-14.0.0.4, 13.0.0-13.1.1.5, 12.1.0-12.1.5, and 11.5.1-11.6.5. In BIG-IP APM 13.1.0 and later, the APM Clients components can be updated independently from BIG-IP software. Client version 7.1.8 (7180.2019.508.705) and later has the fix.

Insertion of Sensitive Information into Log File

In F5 BIG-IP APM 13.0.0-13.1.1.1

CVE-2018-15316 5.5 - Medium - October 19, 2018

In F5 BIG-IP APM 13.0.0-13.1.1.1, APM Client 7.1.5-7.1.6, and/or Edge Client 7101-7160, the BIG-IP APM Edge Client component loads the policy library with user permission and bypassing the endpoint checks.

Windows Logon Integration feature of F5 BIG-IP APM client prior to version 7.1.7.1 for Windows by default uses Legacy logon mode

CVE-2018-5547 7.8 - High - August 17, 2018

Windows Logon Integration feature of F5 BIG-IP APM client prior to version 7.1.7.1 for Windows by default uses Legacy logon mode which uses a SYSTEM account to establish network access. This feature displays a certificate user interface dialog box which contains the link to the certificate policy. By clicking on the link, unprivileged users can open additional dialog boxes and get access to the local machine windows explorer which can be used to get administrator privilege. Windows Logon Integration is vulnerable when the APM client is installed by an administrator on a user machine. Users accessing the local machine can get administrator privileges

AuthZ

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for F5 Networks Big Ip Access Policy Manager Client or by F5 Networks? Click the Watch button to subscribe.

F5 Networks
Vendor

subscribe