CVE-2016-9244

high

CVSS v3 Base Score

7.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

67.5%

Exploitation probability in 30 days

Top 1% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Confidentiality

High

Integrity

None

Availability

None

Published: February 9, 2017 (3380 days ago)

Last Modified: May 13, 2026

Vendor: F5

Source: NVD

Description

A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.

CWE

CWE-200

Affected Products

f5 big-ip local traffic managerf5 big-ip application acceleration managerf5 big-ip advanced firewall managerf5 big-ip analyticsf5 big-ip access policy managerf5 big-ip application security managerf5 big-ip global traffic managerf5 big-ip link controllerf5 big-ip policy enforcement managerf5 big-ip protocol security module

References

🔗 packetstormsecurity.com 🔗 www.securityfocus.com 🔗 www.securitytracker.com 🔗 blog.filippo.io 🔗 filippo.io

CVE-2016-9244

Vulnerability Report

Description

CWE

Affected Products

References