On versions 15.0.0-18.104.22.168, 14.1.0-22.214.171.124, 14.0.0-14.0.1, 13.1.0-126.96.36.199, 12.1.0-12.1.5, and 11.5.2-188.8.131.52, BIG-IP virtual servers with Loose Initiation enabled on a FastL4 profile may be subject to excessive flow usage under undisclosed conditions.
On versions 15.0.0-184.108.40.206, 14.0.0-220.127.116.11, 13.1.0-18.104.22.168, 12.1.0-12.1.5, and 11.5.2-22.214.171.124, the BIG-IP ASM system may consume excessive resources when processing certain types of HTTP responses from the origin web server. This vulnerability is only known to affect resource-constrained systems in which the security policy is configured with response-side features, such as Data Guard or response-side learning.
On BIG-IP 15.0.0-15.0.1, 14.1.0-126.96.36.199, 14.0.0-188.8.131.52, 13.1.0-184.108.40.206, 12.1.0-220.127.116.11, and 11.5.1-11.6.5, under certain conditions, TMM may consume excessive resources when processing traffic for a Virtual Server with the FIX (Financial Information eXchange) profile applied.
On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources which may lead to a denial of service.
When the BIG-IP APM 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-18.104.22.168, 12.1.0-22.214.171.124, or 11.5.1-11.6.5 system processes certain requests, the APD/APMD daemon may consume excessive resources.
On BIG-IP 14.1.0-126.96.36.199, 14.0.0-188.8.131.52, 13.0.0-13.1.2, 12.1.0-184.108.40.206, 11.5.2-11.6.4, when processing authentication attempts for control-plane users MCPD leaks a small amount of memory. Under rare conditions attackers with access to the management interface could eventually deplete memory on the system.
On BIG-IP (ASM) 14.1.0-220.127.116.11, 14.0.0-18.104.22.168, 13.0.0-22.214.171.124, and 12.1.0-12.1.4, Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated user with role of "Guest" or greater privilege. Note: "No Access" cannot login so technically it's a role but a user with this access role cannot perform the attack.
On BIG-IP 14.1.0-126.96.36.199 and 14.0.0-188.8.131.52, Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process.
On BIG-IP 11.5.1-184.108.40.206, 220.127.116.11-18.104.22.168, 13.0.0 HF1-22.214.171.124, and 14.0.0-126.96.36.199, Multi-Path TCP (MPTCP) does not protect against multiple zero length DATA_FINs in the reassembly queue, which can lead to an infinite loop in some circumstances.
On BIG-IP LTM 13.0.0 to 13.0.1 and 12.1.0 to 188.8.131.52, under certain conditions, the TMM may consume excessive resources when processing SSL Session ID Persistence traffic.