Versions
11.5.1-11.5.7, 11.6.0-11.6.3, 12.1.0-12.1.3
11.6.1-11.6.3.2, 11.5.1-11.5.8
12.0.0, 12.1.0, 12.1.1, 12.1.2
12.1.2
11.6.0, 11.6.1
12.0.0-12.1.2
11.6.0-11.6.3.1, 12.1.0-12.1.3.3, 13.0.0, 13.1.0-13.1.0.3
11.6.0-11.6.3
12.0.0 through 12.1.2
13.0.0
EM 3.1.1
11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4
13.0.0-13.1.1
13.0.0-13.1.0.7
13.0.0-13.1.x
14.0.0-14.0.0.2, 13.0.0-13.1.1.1
14.0.0-14.0.0.2, 13.0.0-13.1.1.1, 12.1.0-12.1.3.6, 11.6.1-11.6.3.2, 11.5.1-11.5.8
14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2
13.0.0-13.1.1.1
APM Client 7.1.5-7.1.7.1, Edge Client 7101-7150
11.5.x,11.6.x
14.0.0-14.0.0.4, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7
12.1.0-12.1.3
12.1.0-12.1.3.5
13.1.0.4-13.1.0.7, 13.0.1
All versions 11.2.1+
Recent CVEs
CVE-2019-6596
In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, 12.1.0-12.1.3.6, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, when processing fragmented ClientHello messages in a DTLS session TMM may corrupt memory eventually leading to a crash. Only systems offering DTLS connections via APM are impacted.
CVE-2019-6599
In BIG-IP 11.6.1-11.6.3.2 or 11.5.1-11.5.8, or Enterprise Manager 3.1.1, improper escaping of values in an undisclosed page of the configuration utility may result with an improper handling on the JSON response when it is injected by a malicious script via a remote cross-site scripting (XSS) attack.
CVE-2019-6595
Cross-site scripting (XSS) vulnerability in F5 BIG-IP Access Policy Manager (APM) 11.5.x and 11.6.x Admin Web UI.
CVE-2019-6591
On BIG-IP APM 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.3 and 12.1.0 to 12.1.3.7, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system.
CVE-2018-15334
A cross-site request forgery (CSRF) vulnerability in the APM webtop 11.2.1 or greater may allow attacker to force an APM webtop session to log out and require re-authentication.
CVE-2018-15335
When APM 13.0.0-13.1.x is deployed as an OAuth Resource Server, APM becomes a client application to an external OAuth authorization server. In certain cases when communication between the BIG-IP APM and the OAuth authorization server is lost, APM may not display the intended message in the failure response
CVE-2018-15332
The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race condition.
CVE-2018-15324
On BIG-IP APM 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, TMM may restart when processing a specially crafted request with APM portal access.
CVE-2018-15326
In some situations on BIG-IP APM 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.2, the CRLDP Auth access policy agent may treat revoked certificates as valid when the BIG-IP APM system fails to download a new Certificate Revocation List.
CVE-2018-15316
In F5 BIG-IP APM 13.0.0-13.1.1.1, APM Client 7.1.5-7.1.6, and/or Edge Client 7101-7160, the BIG-IP APM Edge Client component loads the policy library with user permission and bypassing the endpoint checks.