F5 BIG-IP is an application delivery platform from F5 that integrates network traffic orchestration, load balancing, intelligent DNS, remote access policy management, etc. An XSS vulnerability exists in the F5 BIG-IP TMUI, which can be exploited by attackers to run JavaScript in the context of the currently logged-in user.
{"f5": [{"lastseen": "2021-09-01T12:57:43", "description": "A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. ([CVE-2021-23027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23027>))\n\nImpact\n\nAn attacker may exploit this vulnerability by causing an authenticated user to submit malicious HTML or JavaScript code in the BIG-IP Configuration utility. If successful, an attacker can run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell (**bash**), an attacker can leverage successful exploitation of this vulnerability to compromise the BIG-IP system.\n", "cvss3": {}, "published": "2021-08-24T12:49:00", "type": "f5", "title": "TMUI XSS vulnerability CVE-2021-23027", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-23027"], "modified": "2021-08-24T12:49:00", "id": "F5:K24301698", "href": "https://support.f5.com/csp/article/K24301698", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-04-20T05:39:24", "description": "On August 24, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory.\n\nHigh CVEs\n\n * [K55543151: BIG-IP TMUI vulnerability CVE-2021-23025](<https://support.f5.com/csp/article/K55543151>)\n\nCVSS score: 7.2 (High)\n\nAn authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility.\n\n * [K53854428: iControl SOAP vulnerability CVE-2021-23026](<https://support.f5.com/csp/article/K53854428>)\n\nCVSS score: 7.5 (High)\n\nBIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.\n\n * [K24301698: TMUI XSS vulnerability CVE-2021-23027](<https://support.f5.com/csp/article/K24301698>)\n\nCVSS score: 7.5 (High)\n\nA DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.\n\n * [K00602225: BIG-IP Advanced WAF and ASM vulnerability CVE-2021-23028](<https://support.f5.com/csp/article/K00602225>)\n\nCVSS score: 7.5 (High)\n\nWhen JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate.\n\n * [K52420610: BIG-IP Advanced WAF and ASM TMUI vulnerability CVE-2021-23029](<https://support.f5.com/csp/article/K52420610>)\n\nCVSS score: 7.5 (High)\n\nInsufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility.\n\n * [K42051445: BIG-IP Advanced WAF and ASM Websocket vulnerability CVE-2021-23030](<https://support.f5.com/csp/article/K42051445>)\n\nCVSS score: 7.5 (High)\n\nWhen a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.\n\n * [K41351250: BIG-IP Advanced WAF and ASM TMUI vulnerability CVE-2021-23031](<https://support.f5.com/csp/article/K41351250>)\n\nCVSS score: 8.8 (High) / 9.9 (Appliance Mode Only) \n**Note**: The limited number of customers using Appliance Mode will have Scope: Changed, which raises the CVSSv3 score to 9.9. For information on Appliance mode, refer to [K12815: Overview of Appliance mode](<https://support.f5.com/csp/article/K12815>).\n\nAn authenticated user may perform a privilege escalation on BIG-IP Advanced WAF and ASM TMUI.\n\n * [K45407662: BIG-IP DNS vulnerability CVE-2021-23032](<https://support.f5.com/csp/article/K45407662>)\n\nCVSS score: 7.5 (High)\n\nWhen a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the Traffic Management Microkernel (TMM) to terminate.\n\n * [K05314769: BIG-IP Advanced WAF and ASM Websocket vulnerability CVE-2021-23033](<https://support.f5.com/csp/article/K05314769>)\n\nCVSS score: 7.5 (High)\n\nWhen a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.\n\n * [K30523121: BIG-IP TMM vulnerability CVE-2021-23034](<https://support.f5.com/csp/article/K30523121>)\n\nCVSS score: 7.5 (High)\n\nWhen a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.\n\n * [K70415522: TMM vulnerability CVE-2021-23035](<https://support.f5.com/csp/article/K70415522>)\n\nCVSS score: 7.5 (High)\n\nWhen an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate.\n\n * [K05043394: TMM vulnerability CVE-2021-23036](<https://support.f5.com/csp/article/K05043394>)\n\nCVSS score: 7.5 (High)\n\nWhen a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.\n\n * [K21435974: TMUI XSS vulnerability CVE-2021-23037](<https://support.f5.com/csp/article/K21435974>)\n\nCVSS score: 7.5 (High)\n\nA reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.\n\nMedium CVEs\n\n * [K61643620: BIG-IP TMUI XSS vulnerability CVE-2021-23038](<https://support.f5.com/csp/article/K61643620>)\n\nCVSS score: 6.8 (Medium)\n\nA stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.\n\n * [K66782293: TMM vulnerability CVE-2021-23039](<https://support.f5.com/csp/article/K66782293>)\n\nCVSS score: 6.5 (Medium)\n\nWhen IPSec is configured on a BIG-IP system, undisclosed requests from an authorized remote (IPSec) peer, which already has a negotiated Security Association, can cause the Traffic Management Microkernel (TMM) to terminate.\n\n * [K94255403: BIG-IP AFM vulnerability CVE-2021-23040](<https://support.f5.com/csp/article/K94255403>)\n\nCVSS score: 5.4 (Medium)\n\nA SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This issue is exposed only when BIG-IP AFM is provisioned.\n\n * [K42526507: BIG-IP TMUI vulnerability CVE-2021-23041](<https://support.f5.com/csp/article/K42526507>)\n\nCVSS score: 4.7 (Medium)\n\nA DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user.\n\n * [K93231374: BIG-IP HTTP vulnerability CVE-2021-23042](<https://support.f5.com/csp/article/K93231374>)\n\nCVSS score: 5.3 (Medium)\n\nWhen an HTTP profile is configured on a virtual server, undisclosed requests can cause a significant increase in system resource utilization.\n\n * [K63163637: BIG-IP TMUI vulnerability CVE-2021-23043](<https://support.f5.com/csp/article/K63163637>)\n\nCVSS score: 4.3 (Medium)\n\nA directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to access arbitrary files.\n\n * [K35408374: BIG-IP compression driver vulnerability CVE-2021-23044](<https://support.f5.com/csp/article/K35408374>)\n\nCVSS score: 5.9 (Medium)\n\nWhen the Intel QuickAssist Technology (QAT) compression driver is used on affected BIG-IP hardware and BIG-IP Virtual Edition (VE) platforms, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.\n\n * [K94941221: TMM SCTP vulnerability CVE-2021-23045](<https://support.f5.com/csp/article/K94941221>)\n\nCVSS score: 5.3 (Medium)\n\nWhen an SCTP profile with multiple paths is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.\n\n * [K70652532: F5 BIG-IP Guided Configuration logging vulnerability CVE-2021-23046](<https://support.f5.com/csp/article/K70652532>)\n\nCVSS score: 4.9 (Medium)\n\nWhen a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs.\n\n * [K79428827: BIG-IP APM OCSP vulnerability CVE-2021-23047](<https://support.f5.com/csp/article/K79428827>)\n\nCVSS score: 5.3 (Medium)\n\nWhen BIG-IP APM performs Online Certificate Status Protocol (OCSP) verification of a certificate that contains Authority Information Access (AIA), undisclosed requests may cause an increase in memory use.\n\n * [K19012930: TMM GTP vulnerability CVE-2021-23048](<https://support.f5.com/csp/article/K19012930>)\n\nCVSS score: 5.9 (Medium)\n\nWhen GPRS Tunneling Protocol (GTP) iRules commands or a GTP profile is configured on a virtual server, undisclosed GTP messages can cause the Traffic Management Microkernel (TMM) to terminate.\n\n * [K65397301: iRule RESOLVER::summarize memory leak vulnerability CVE-2021-23049](<https://support.f5.com/csp/article/K65397301>)\n\nCVSS score: 5.3 (Medium)\n\nWhen the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS).\n\n * [K44553214: Web application firewall vulnerability CVE-2021-23050](<https://support.f5.com/csp/article/K44553214>)\n\nCVSS score: 5.9 (Medium)\n\nWhen a cross-site request forgery (CSRF)-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the BIG-IP ASM bd process to terminate.\n\n * [K01153535: BIG-IP AWS vulnerability CVE-2021-23051](<https://support.f5.com/csp/article/K01153535>)\n\nCVSS score: 5.9 (Medium)\n\nWhen the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP on Amazon Web Services (AWS) systems, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This is due to an incomplete fix for CVE-2020-5862.\n\n * [K32734107: BIG-IP APM vulnerability CVE-2021-23052](<https://support.f5.com/csp/article/K32734107>)\n\nCVSS score: 6.1 (Medium)\n\nAn open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious user to build an open redirect URI.\n\nLow CVEs\n\n * [K36942191: BIG-IP Advanced WAF and ASM MySQL database vulnerability CVE-2021-23053](<https://support.f5.com/csp/article/K36942191>)\n\nCVSS score: 3.7 (Low)\n\nWhen the brute force protection feature of ASM/Adv WAF is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database.\n\nSecurity Exposures\n\n * [K14903688: BIG-IP SSL Profile OCSP Authentication security exposure](<https://support.f5.com/csp/article/K14903688>)\n\nThe BIG-IP system does not properly verify the revocation of intermediate CA certificates when querying Online Certificate Status Protocol (OCSP) servers and may allow unauthorized connections.\n\n * [K49549213: The BIG-IP Advanced WAF and ASM brute force mitigation may fail when receiving a specially crafted request](<https://support.f5.com/csp/article/K49549213>)\n\nF5 Advanced Web Application Firewall (WAF) and BIG-IP ASM brute force mitigation may fail.\n\n * [K48321015: The BIG-IP Advanced WAF and ASM systems may fail to correctly enforce HTML form login pages](<https://support.f5.com/csp/article/K48321015>)\n\nThe BIG-IP Advanced WAF and ASM systems may fail to correctly enforce HTML form login pages when the request contains an incorrectly formatted parameter. This issue occurs when the security policy includes a configuration that enables brute force protection for the HTML form login page.\n\n * [K30150004: The attack signature check may fail to detect and block malicious requests](<https://support.f5.com/csp/article/K30150004>)\n\nThe attack signature check may fail to detect and block malicious request containing certain decimal-coded characters.\n\n * [K30291321: The attack signature check may fail to detect and block illegal requests.](<https://support.f5.com/csp/article/K30291321>)\n\nThe attack signature check may fail to detect and block illegal requests.\n\n * [K05391775: The BIG-IP ASM system may not properly perform attack signature checks](<https://support.f5.com/csp/article/K05391775>)\n\nThe BIG-IP ASM system may not properly perform attack signature checks on request and response content.\n\nThe following table provides key information for each vulnerability to assist in determining which are pertinent to your network.\n\n**Note**: For security and sustainability, your best update choice is the latest maintenance release of a Long-Term Stability Release version.\n\n * Long-Term Stability Release versions have 1 for their minor release number (x.1.x), and they are not available for a period of time after a major release (x.0.x).\n * The latest maintenance release of a Long-Term Stability Release version (x.1.latest) can be between x.1.0 and x.1.n.\n\nUpdating to maintenance or point releases (x.1.x.x) for a Long-Term Stability Release version does not introduce changes in existing default behavior.\n\nF5 recommends that you update or upgrade your BIG-IP appliances to at least BIG-IP 14.1.0 and your BIG-IP VEs to at least BIG-IP 15.1.0. For more information, see the release notes for [BIG-IP 14.1.0](<https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-14-1-0.html>) and [BIG-IP 15.1.0](<https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-15-1-0.html>).\n\nHigh CVEs\n\nCVE / Bug ID | Severity | CVSS score | Affected products | Affected versions1 | Fixes introduced in \n---|---|---|---|---|--- \n[CVE-2021-23025](<https://support.f5.com/csp/article/K55543151>) | High | 7.2 | BIG-IP (all modules) | 15.0.0 - 15.1.0 \n14.1.0 - 14.1.3 \n13.1.0 - 13.1.3 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 16.0.0 \n15.1.0.5 \n14.1.3.1 \n13.1.3.5 \n[CVE-2021-23026](<https://support.f5.com/csp/article/K53854428>) | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.4.2 \n13.1.4.1 \nBIG-IQ | 8.0.0 - 8.1.0 \n7.0.0 - 7.1.0 \n6.0.0 - 6.1.0 | None \n[CVE-2021-23027](<https://support.f5.com/csp/article/K24301698>) | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 \n14.1.0 - 14.1.4 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \n14.1.4.3 \n[CVE-2021-23028](<https://support.f5.com/csp/article/K00602225>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.1 \n15.1.1 - 15.1.3 \n14.1.3.1 - 14.1.4.1 \n13.1.3.5 - 13.1.3.6 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \n14.1.4.2 \n13.1.4 \n[CVE-2021-23029](<https://support.f5.com/csp/article/K52420610>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 | 16.1.0 \n16.0.1.2 \n[CVE-2021-23030](<https://support.f5.com/csp/article/K42051445>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.3 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \n14.1.4.3 \n13.1.4.1 \n[CVE-2021-23031](<https://support.f5.com/csp/article/K41351250>) | \n\nHigh\n\n\\--\n\nCritical - Appliance mode only2\n\n| \n\n8.8\n\n\\--\n\n9.92\n\n| BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.3 \n12.1.0 - 12.1.5 \n11.6.1 - 11.6.5 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.4.1 \n13.1.4 \n12.1.6 \n11.6.5.3 \n[CVE-2021-23032](<https://support.f5.com/csp/article/K45407662>) | High | 7.5 | BIG-IP (DNS) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.3 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 | 16.1.0 \n15.1.3.1 \n14.1.4.4 \n13.1.5 \n[CVE-2021-23033](<https://support.f5.com/csp/article/K05314769>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.3 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 | 16.1.0 \n15.1.3.1 \n14.1.4.3 \n13.1.4.1 \n[CVE-2021-23034](<https://support.f5.com/csp/article/K30523121>)3 | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.3 | 16.1.0 \n15.1.3.1 \n[CVE-2021-23035](<https://support.f5.com/csp/article/K70415522>) | High | 7.5 | BIG-IP (all modules) | 14.1.0 - 14.1.4 | 14.1.4.4 \n[CVE-2021-23036](<https://support.f5.com/csp/article/K05043394>) | High | 7.5 | BIG-IP (Advanced WAF, ASM, DataSafe) | 16.0.0 - 16.0.1 | 16.1.0 \n16.0.1.2 \n[CVE-2021-23037](<https://support.f5.com/csp/article/K21435974>) | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.1.1 \n15.1.0 - 15.1.4 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 16.1.2 \n15.1.4.1 \n14.1.4.5 \n13.1.5 \n[CVE-2021-23038](<https://support.f5.com/csp/article/K61643620>) | Medium | 6.8 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.0.0 - 15.1.3 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \n14.1.4.2 \n13.1.4.1 \n[CVE-2021-23039](<https://support.f5.com/csp/article/K66782293>) | Medium | 6.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.0.0 - 15.1.2 \n14.1.0 - 14.1.2 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.2.8 \n13.1.5 \n[CVE-2021-23040](<https://support.f5.com/csp/article/K94255403>) | Medium | 5.4 | BIG-IP AFM | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.3 \n12.1.0 - 12.1.6 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.4.2 \n13.1.4.1 \n[CVE-2021-23041](<https://support.f5.com/csp/article/K42526507>) | Medium | 4.7 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.4.2 \n13.1.4.1 \n[CVE-2021-23042](<https://support.f5.com/csp/article/K93231374>) | Medium | 5.3 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 \n14.1.0 - 14.1.3 \n13.1.0 - 13.1.3 \n12.1.0 - 12.1.5 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.4 \n13.1.4 \n12.1.6 \n[CVE-2021-23043](<https://support.f5.com/csp/article/K63163637>) | Medium | 4.3 | BIG-IP (all modules) | 16.0.0 - 16.1.1 \n15.1.0 - 15.1.4 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 16.1.2 \n15.1.4.1 \n14.1.4.5 \n13.1.5 \n[CVE-2021-23044](<https://support.f5.com/csp/article/K35408374>) | Medium | 5.9 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.3 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 16.1.0 \n15.1.3.1 \n14.1.4.2 \n13.1.4.1 \n[CVE-2021-23045](<https://support.f5.com/csp/article/K94941221>) | Medium | 5.3 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 \n14.1.0 - 14.1.3 \n13.1.0 - 13.1.3 \n12.1.0 - 12.1.5 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \n14.1.4.3 \n13.1.4.1 \n[CVE-2021-23046](<https://support.f5.com/csp/article/K70652532>) | Medium | 4.9 | BIG-IP (Guided Configuration) | 7.0 \n6.0 \n5.0 \n4.1 \n3.0 | 8.0 \nBIG-IP APM5 | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.3 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 | 16.1.0 \n[CVE-2021-23047](<https://support.f5.com/csp/article/K79428827>) | Medium | 5.3 | BIG-IP APM | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.3 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 16.1.0 \n15.1.3.1 \n14.1.4.3 \n13.1.5 \n[CVE-2021-23048](<https://support.f5.com/csp/article/K19012930>) | Medium | 5.9 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.3 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.5 \n11.6.1 - 11.6.5 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \n14.1.4.3 \n13.1.4.1 \n[CVE-2021-23049](<https://support.f5.com/csp/article/K65397301>) | Medium | 5.3 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 | 16.1.0 \n16.0.1.2 \n15.1.3 \n[CVE-2021-23050](<https://support.f5.com/csp/article/K44553214>) | Medium | 5.9 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.3 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \nNGINX App Protect | 3.0.0 - 3.4.0 \n2.0.0 - 2.3.0 \n1.0.0 - 1.3.0 | 3.5.0 \n[CVE-2021-23051](<https://support.f5.com/csp/article/K01153535>) | Medium | 5.9 | BIG-IP (all modules) | 15.1.0.4 - 15.1.3 | 16.0.0 \n15.1.3.1 \n[CVE-2021-23052](<https://support.f5.com/csp/article/K32734107>) | Medium | 6.1 | BIG-IP APM | 14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 | 14.1.4.4 \n13.1.5 \n[CVE-2021-23053](<https://support.f5.com/csp/article/K36942191>) | Low | 3.7 | BIG-IP (Advanced WAF, ASM) | 15.1.0 - 15.1.2 \n14.1.0 - 14.1.3 \n13.1.0 - 13.1.3 | 16.0.0 \n15.1.3 \n14.1.3.1 \n13.1.3.6 \n[ID 889601](<https://support.f5.com/csp/article/K14903688>) | Not applicable | Not applicable | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.0.0 - 15.1.2 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.3 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.4 \n13.1.4 \n[ID 928685](<https://support.f5.com/csp/article/K49549213>) | Not applicable | Not applicable | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.3 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.4.2 \n13.1.4.1 \n[ID 929001](<https://support.f5.com/csp/article/K48321015>) | Not applicable | Not applicable | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.3 \n12.1.0 - 12.1.5 \n11.6.1 - 11.6.5 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.4.1 \n13.1.4 \n12.1.6 \n11.6.5.3 \n[ID 943913](<https://support.f5.com/csp/article/K30150004>) \n[WAFMC-4566](<https://support.f5.com/csp/article/K30150004>) | Not applicable | Not applicable | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.3 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \n14.1.4.2 \n13.1.4.1 \nNGINX App Protect | 3.0.0 - 3.4.0 \n2.0.0 - 2.3.0 \n1.0.0 - 1.3.0 | 3.5.0 \n[ID 968421](<https://support.f5.com/csp/article/K30291321>) | Not applicable | Not applicable | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.2 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.5 \n11.6.1 - 11.6.5 | 16.1.0 \n16.0.1.2 \n15.1.2.1 \n14.1.4.2 \n13.1.4.1 \n12.1.6 \n11.6.5.3 \nNGINX App Protect | 2.0.0 - 2.1.0 \n1.0.0 - 1.3.0 | 2.2.0 \n[ID 987157](<https://support.f5.com/csp/article/K05391775>) | Not applicable | Not applicable | BIG-IP (Advanced WAF, ASM) | 13.1.0 -13.1.4 | 13.1.5 \n \n1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.\n\n2The limited number of customers using Appliance Mode will have Scope: Changed, which raises the CVSSv3 score to 9.9. For information on Appliance mode, refer to [K12815: Overview of Appliance mode](<https://support.f5.com/csp/article/K12815>).\n\n3The fix for this issue may cause a loss of functionality when the iRule command [RESOLV::lookup](<https://clouddocs.f5.com/api/irules/RESOLV__lookup.html>) is used. The iRule command **RESOLV::lookup** is deprecated as of BIG-IP 15.1.0; F5 recommends that customers update their iRules in favor of the [RESOLVER](<https://clouddocs.f5.com/api/irules/RESOLVER.html>) and [DNSMSG](<https://clouddocs.f5.com/api/irules/DNSMSG.html>) namespaces.\n\nFor more information on the specific conditions that result in a loss of behavior, refer to the following Bug Tracker items:\n\n * [Bug ID 1010697](<https://cdn.f5.com/product/bugtracker/ID1010697.html>)\n * [Bug ID 1037005](<https://cdn.f5.com/product/bugtracker/ID1037005.html>)\n * [Bug ID 1038921](<https://cdn.f5.com/product/bugtracker/ID1038921.html>)\n\n4This issue has been fixed in an engineering hotfix available for supported versions of the BIG-IP system. Customers affected by this issue can request a hotfix from F5 Support on the latest supported versions of the BIG-IP system.\n\n5You can independently upgrade F5 Guided Configuration without upgrading the entire BIG-IP system. To address this vulnerability, you can download and install an F5 Guided Configuration version listed in the **Fixed introduced in** column. For more information on how to upgrade F5 Guided Configuration and its supported upgrade path, refer to [K85454683: Upgrading F5 Guided Configuration on BIG-IP** **](<https://support.f5.com/csp/article/K85454683>)and [K06258575: Supported upgrade path for Guided Configuration](<https://support.f5.com/csp/article/K06258575>).\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-24T13:55:00", "type": "f5", "title": "Overview of F5 vulnerabilities (August 2021)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5862", "CVE-2021-23025", "CVE-2021-23026", "CVE-2021-23027", "CVE-2021-23028", "CVE-2021-23029", "CVE-2021-23030", "CVE-2021-23031", "CVE-2021-23032", "CVE-2021-23033", "CVE-2021-23034", "CVE-2021-23035", "CVE-2021-23036", "CVE-2021-23037", "CVE-2021-23038", "CVE-2021-23039", "CVE-2021-23040", "CVE-2021-23041", "CVE-2021-23042", "CVE-2021-23043", "CVE-2021-23044", "CVE-2021-23045", "CVE-2021-23046", "CVE-2021-23047", "CVE-2021-23048", "CVE-2021-23049", "CVE-2021-23050", "CVE-2021-23051", "CVE-2021-23052", "CVE-2021-23053"], "modified": "2022-04-20T04:11:00", "id": "F5:K50974556", "href": "https://support.f5.com/csp/article/K50974556", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "cve": [{"lastseen": "2023-02-09T14:09:28", "description": "On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-09-14T22:15:00", "type": "cve", "title": "CVE-2021-23027", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23027"], "modified": "2021-09-28T18:51:00", "cpe": ["cpe:/a:f5:big-ip_application_acceleration_manager:15.1.3", "cpe:/a:f5:big-ip_access_policy_manager:14.1.4", "cpe:/a:f5:big-ip_advanced_web_application_firewall:16.0.1.1", "cpe:/a:f5:big-ip_analytics:15.1.3", "cpe:/a:f5:big-ip_policy_enforcement_manager:14.1.4", "cpe:/a:f5:big-ip_domain_name_system:14.1.4", "cpe:/a:f5:big-ip_ssl_orchestrator:15.1.3", "cpe:/a:f5:big-ip_advanced_firewall_manager:16.0.1.1", "cpe:/a:f5:big-ip_application_security_manager:15.1.3", "cpe:/a:f5:big-ip_ddos_hybrid_defender:15.1.3", "cpe:/a:f5:big-ip_domain_name_system:15.1.3", "cpe:/a:f5:big-ip_ddos_hybrid_defender:16.0.1.1", "cpe:/a:f5:big-ip_link_controller:15.1.3", "cpe:/a:f5:big-ip_advanced_firewall_manager:14.1.4", "cpe:/a:f5:big-ip_domain_name_system:16.0.1.1", "cpe:/a:f5:big-ip_ssl_orchestrator:14.1.4", "cpe:/a:f5:big-ip_local_traffic_manager:15.1.3", "cpe:/a:f5:big-ip_fraud_protection_service:16.0.1.1", "cpe:/a:f5:big-ip_access_policy_manager:16.0.1.1", "cpe:/a:f5:big-ip_access_policy_manager:15.1.3", "cpe:/a:f5:big-ip_ddos_hybrid_defender:14.1.4", "cpe:/a:f5:big-ip_application_acceleration_manager:14.1.4", "cpe:/a:f5:big-ip_application_security_manager:14.1.4", "cpe:/a:f5:big-ip_fraud_protection_service:15.1.3", "cpe:/a:f5:big-ip_global_traffic_manager:16.0.1.1", "cpe:/a:f5:big-ip_local_traffic_manager:14.1.4", "cpe:/a:f5:big-ip_advanced_firewall_manager:15.1.3", "cpe:/a:f5:big-ip_advanced_web_application_firewall:14.1.4", "cpe:/a:f5:big-ip_ssl_orchestrator:16.0.1.1", "cpe:/a:f5:big-ip_application_security_manager:16.0.1.1", "cpe:/a:f5:big-ip_policy_enforcement_manager:15.1.3", "cpe:/a:f5:big-ip_link_controller:16.0.1.1", "cpe:/a:f5:big-ip_analytics:16.0.1.1", "cpe:/a:f5:big-ip_application_acceleration_manager:16.0.1.1", "cpe:/a:f5:big-ip_link_controller:14.1.4", "cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.3", "cpe:/a:f5:big-ip_global_traffic_manager:15.1.3", "cpe:/a:f5:big-ip_local_traffic_manager:16.0.1.1", "cpe:/a:f5:big-ip_policy_enforcement_manager:16.0.1.1", "cpe:/a:f5:big-ip_fraud_protection_service:14.1.4", "cpe:/a:f5:big-ip_global_traffic_manager:14.1.4", "cpe:/a:f5:big-ip_analytics:14.1.4"], "id": "CVE-2021-23027", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23027", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:f5:big-ip_ssl_orchestrator:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_ssl_orchestrator:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_ssl_orchestrator:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:14.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:15.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:16.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:14.1.4:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2021-08-26T23:21:16", "description": "Application delivery and networking firm F5 released a baker\u2019s dozen of 13 fixes for high-severity bugs, including one that could lead to complete system takeover and hence is boosted to \u201ccritical\u201d for customers that run BIG-IP in Appliance Mode, given that an attacker that holds valid credentials can bypass Appliance Mode restrictions.\n\nF5 \u2013 maker of near-ubiquitously installed enterprise networking gear \u2013 released nearly 30 vulnerabilities for multiple devices in its [August security updates](<https://support.f5.com/csp/article/K50974556>).\n\nThe worst of the bunch is tracked as [CVE-2021-23031](<https://support.f5.com/csp/article/K41351250>) and affects BIG-IP modules Advanced WAF (Web Application Firewall) and the Application Security Manager (ASM) \u2013 specifically, the Traffic Management User Interface (TMUI).\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nF5 said that when the vulnerability is exploited, \u201can authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services,\u201d potentially leading to \u201ccomplete system compromise.\u201d\n\nCVE-2021-23031 normally entails a high rating of 8.8 severity, but that gets jacked up to 9.9 for just those customers that are using [Appliance mode](<https://support.f5.com/csp/article/K12815>). The Appliance mode adds technical restrictions and is designed to meet the needs of customers in \u201cespecially sensitive sectors\u201d by \u201climiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.\u201d\n\nF5 lists a number of products that contain the affected code but aren\u2019t vulnerable, given that attackers can\u2019t exploit the code in default, standard or recommended configurations. F5 noted that there are a limited number of customers using it in the mode \u2013 i.e., Appliance mode \u2013 that elevates the vulnerability\u2019s CVSSv3 severity score to 9.9 (critical).\n\n## No Viable Mitigation\n\nF5 said that there\u2019s \u201cno viable mitigation\u201d that also allows users access to the Configuration utility, given that this attack can be pulled off by legitimate, authenticated users. The only way to mitigate is to pull the access of any users who aren\u2019t \u201ccompletely trusted,\u201d according to the advisory.\n\nCustomers who can\u2019t install a fixed version right off the bat can use the following temporary mitigations, which restrict access to the Configuration utility to only trusted networks or devices and thereby limit the attack surface:\n\n * [Block Configuration utility access through self IP addresses](<https://support.f5.com/csp/article/K41351250#proc1>)\n * [Block Configuration utility access through the management interface](<https://support.f5.com/csp/article/K41351250#proc2>)\n\nMichael Haugh, Vice President at network automation provider Gluware, told Threatpost that known vulnerabilities are challenging to respond to quickly or to mitigate speedily: As it is, network operation crews are \u201cunder the gun to keep the network highly available, secure and delivering the required performance for the business applications,\u201d he said. \u201cVendor vulnerabilities that require an OS Upgrade or patch can be very labor-intensive and potentially disruptive.\u201d\n\nVia email, Haugh observed that when it comes to a load balancer like F5, redundancy \u201cmust be part of the device\u201d and traffic \u201cmust be re-directed off an active device, taking it out of service to perform an upgrade.\u201d\n\nNot just once, mind you, but, often, multiple times: \u201cThis process often has to be repeated over dozens or even hundreds of devices depending on the organization. Having automated processes to pre-check, stage the image, gracefully execute the upgrades and complete post-checks can significantly improve the ability for NetOps to respond and execute a low-risk upgrade.\u201d\n\n## The Other Dozen Bugs\n\nBesides the critical CVE-2021-23031 flaw, the dozen high-severity security bugs addressed in this month\u2019s patch release and listed in the table below have risk scores of between 7.2 and 7.5. The flaws include authenticated remote command execution (RCE), cross-site scripting (XSS) and request forgery, as well as insufficient permission and denial-of-service (DOS).\n\nHalf of them affect all modules, five impact the Advanced WAF and ASM, and one affects the DNS module.\n\nCVE / Bug ID | Severity | CVSS score | Affected products | Affected versions | Fixes introduced in \n---|---|---|---|---|--- \n[CVE-2021-23025](<https://support.f5.com/csp/article/K55543151>) | High | 7.2 | BIG-IP (all modules) | 15.0.0 \u2013 15.1.0 \n14.1.0 \u2013 14.1.3 \n13.1.0 \u2013 13.1.3 \n12.1.0 \u2013 12.1.6 \n11.6.1 \u2013 11.6.5 | 16.0.0 \n15.1.0.5 \n14.1.3.1 \n13.1.3.5 \n[CVE-2021-23026](<https://support.f5.com/csp/article/K53854428>) | High | 7.5 | BIG-IP (all modules) | 16.0.0 \u2013 16.0.1 \n15.1.0 \u2013 15.1.2 \n14.1.0 \u2013 14.1.4 \n13.1.0 \u2013 13.1.4 \n12.1.0 \u2013 12.1.6 \n11.6.1 \u2013 11.6.5 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.4.2 \n13.1.4.1 \nBIG-IQ | 8.0.0 \u2013 8.1.0 \n7.0.0 \u2013 7.1.0 \n6.0.0 \u2013 6.1.0 | None \n[CVE-2021-23027](<https://support.f5.com/csp/article/K24301698>) | High | 7.5 | BIG-IP (all modules) | 16.0.0 \u2013 16.0.1 \n15.1.0 \u2013 15.1.2 \n14.1.0 \u2013 14.1.4 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \n14.1.4.3 \n[CVE-2021-23028](<https://support.f5.com/csp/article/K00602225>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 \u2013 16.0.1 \n15.1.0 \u2013 15.1.3 \n14.1.0 \u2013 14.1.4 \n13.1.0 \u2013 13.1.3 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \n14.1.4.2 \n13.1.4 \n[CVE-2021-23029](<https://support.f5.com/csp/article/K52420610>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 \u2013 16.0.1 | 16.1.0 \n16.0.1.2 \n[CVE-2021-23030](<https://support.f5.com/csp/article/K42051445>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 \u2013 16.0.1 \n15.1.0 \u2013 15.1.3 \n14.1.0 \u2013 14.1.4 \n13.1.0 \u2013 13.1.4 \n12.1.0 \u2013 12.1.6 | 16.1.0 \n16.0.1.2 \n15.1.3.1 \n14.1.4.3 \n13.1.4.1 \n[CVE-2021-23031](<https://support.f5.com/csp/article/K41351250>) | High \n\n\u2014\n\nCritical \u2013 Appliance mode only\n\n| 8.8 \n\n\u2014\n\n9.9\n\n| BIG-IP (Advanced WAF, ASM) | 16.0.0 \u2013 16.0.1 \n15.1.0 \u2013 15.1.2 \n14.1.0 \u2013 14.1.4 \n13.1.0 \u2013 13.1.3 \n12.1.0 \u2013 12.1.5 \n11.6.1 \u2013 11.6.5 | 16.1.0 \n16.0.1.2 \n15.1.3 \n14.1.4.1 \n13.1.4 \n12.1.6 \n11.6.5.3 \n[CVE-2021-23032](<https://support.f5.com/csp/article/K45407662>) | High | 7.5 | BIG-IP (DNS) | 16.0.0 \u2013 16.0.1 \n15.1.0 \u2013 15.1.3 \n14.1.0 \u2013 14.1.4 \n13.1.0 \u2013 13.1.4 \n12.1.0 \u2013 12.1.6 | 16.1.0 \n15.1.3.1 \n14.1.4.4 \n[CVE-2021-23033](<https://support.f5.com/csp/article/K05314769>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 \u2013 16.0.1 \n15.1.0 \u2013 15.1.3 \n14.1.0 \u2013 14.1.4 \n13.1.0 \u2013 13.1.4 \n12.1.0 \u2013 12.1.6 | 16.1.0 \n15.1.3.1 \n14.1.4.3 \n13.1.4.1 \n[CVE-2021-23034](<https://support.f5.com/csp/article/K30523121>) | High | 7.5 | BIG-IP (all modules) | 16.0.0 \u2013 16.0.1 \n15.1.0 \u2013 15.1.3 | 16.1.0 \n15.1.3.1 \n[CVE-2021-23035](<https://support.f5.com/csp/article/K70415522>) | High | 7.5 | BIG-IP (all modules) | 14.1.0 \u2013 14.1.4 | 14.1.4.4 \n[CVE-2021-23036](<https://support.f5.com/csp/article/K05043394>) | High | 7.5 | BIG-IP (Advanced WAF, ASM, DataSafe) | 16.0.0 \u2013 16.0.1 | 16.1.0 \n16.0.1.2 \n[CVE-2021-23037](<https://support.f5.com/csp/article/K21435974>) | High | 7.5 | BIG-IP (all modules) | 16.0.0 \u2013 16.1.0 \n15.1.0 \u2013 15.1.3 \n14.1.0 \u2013 14.1.4 \n13.1.0 \u2013 13.1.4 \n12.1.0 \u2013 12.1.6 \n11.6.1 \u2013 11.6.5 | None \n \n## CISA Security Advisory\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued a [security advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/25/f5-releases-august-2021-security-advisory>) encouraging users and admins to review [F5\u2019s security advisory](<https://support.f5.com/csp/article/K50974556>) and to update the software or to apply mitigations ASAP.\n\n\u201cDon\u2019t delay\u201d is, of course, good advice when it comes to F5 equipment, given that the company\u2019s enterprise networking can be found in some of the largest tech companies in the world, including Facebook, Microsoft and Oracle. It\u2019s also found in the halls of a trove of Fortune 500 companies, including some of the world\u2019s biggest financial institutions and ISPs.\n\n## F5: Prime Pickings for Pests\n\nAll that gear is also gleefully picked apart by attackers. Case in point: [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>), a critical vulnerability in F5 Networks\u2019 BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more, was recently featured in [CISA\u2019s list of top 30 bugs](<https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/>) \u201croutinely\u201d exploited in 2020 and into this year.\n\nJonathan Chua, application security consultant at app security provider nVisium, noted that F5 Big IP has been targeted by security researchers and adversaries due to the product\u2019s vulnerable, external nature. \u201cSeveral F5 application services can be hosted externally, allowing any internet user to attempt to connect to the service,\u201d he told Threatpost on Thusday. \u201cDue to the ease of accessibility and the amount of publicly known vulnerabilities associated with F5 applications, the service becomes a prime target for adversaries to break into a company\u2019s network via the external perimeter.\u201d\n\nHe pointed to the F5 Traffic Management User Interface (TMUI), which is [being actively exploited](<https://threatpost.com/critical-f5-big-ip-flaw-now-under-active-attack/164940/>), as one example. The service is often available on a company\u2019s external perimeter and contains a critical RCE vulnerability, he noted. \u201cAs a result, if the service is exploited, such service may provide external attackers an initial foothold in a company\u2019s internal network,\u201d Chua said in an email.\n\n082621 13:48 UPDATE: Added input from Jonathan Chua and Michael Haugh.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-08-26T16:40:38", "type": "threatpost", "title": "F5 Bug Could Lead to Complete System Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-23025", "CVE-2021-23026", "CVE-2021-23027", "CVE-2021-23028", "CVE-2021-23029", "CVE-2021-23030", "CVE-2021-23031", "CVE-2021-23032", "CVE-2021-23033", "CVE-2021-23034", "CVE-2021-23035", "CVE-2021-23036", "CVE-2021-23037"], "modified": "2021-08-26T16:40:38", "id": "THREATPOST:3132894F3650D97BBD8B8F473D9F1F4E", "href": "https://threatpost.com/f5-critical-bug-system-takeover/168952/", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-05-09T12:37:23", "description": "[](<https://thehackernews.com/images/-gfgFxzl_oz8/YSd_vfZfXwI/AAAAAAAADqE/9iD9m1l_Ni4LUBNSEi0F4GZmnL4Tjf5fACLcBGAsYHQ/s0/f4.jpg>)\n\nEnterprise security and network appliance vendor F5 has released patches for more than [two dozen security vulnerabilities](<https://support.f5.com/csp/article/K50974556>) affecting multiple versions of BIG-IP and BIG-IQ devices that could potentially allow an attacker to perform a wide range of malicious actions, including accessing arbitrary files, escalating privileges, and executing JavaScript code.\n\nOf the 29 bugs addressed, 13 are high-severity flaws, 15 are rated medium, and one is rated low in severity.\n\nChief among them is [CVE-2021-23031](<https://support.f5.com/csp/article/K41351250>) (CVSS score: 8.8), a vulnerability affecting BIG-IP Advanced Web Application Firewall and BIG-IP Application Security Manager that allows an authenticated user to perform a privilege escalation.\n\n\"When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise,\" F5 said in its advisory.\n\nIt's worth noting that for customers running the device in [Appliance Mode](<https://support.f5.com/csp/article/K12815>), which applies additional technical restrictions in sensitive sectors, the same vulnerability comes with a critical rating of 9.9 out of 10. \"As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the Configuration utility. The only mitigation is to remove access for users who are not completely trusted,\" the company said.\n\nThe other major vulnerabilities resolved by F5 are listed below -\n\n * **CVE-2021-23025** (CVSS score: 7.2) - Authenticated remote command execution vulnerability in BIG-IP Configuration utility\n * **CVE-2021-23026** (CVSS score: 7.5) - Cross-site request forgery (CSRF) vulnerability in iControl SOAP\n * **CVE-2021-23027 and CVE-2021-23037** (CVSS score: 7.5) - TMUI DOM-based and reflected cross-site scripting (XSS) vulnerabilities\n * **CVE-2021-23028** (CVSS score: 7.5) - BIG-IP Advanced WAF and ASM vulnerability\n * **CVE-2021-23029** (CVSS score: 7.5) - BIG-IP Advanced WAF and ASM TMUI vulnerability\n * **CVE-2021-23030 and CVE-2021-23033** (CVSS score: 7.5) - BIG-IP Advanced WAF and ASM Websocket vulnerabilities\n * **CVE-2021-23032** (CVSS score: 7.5) - BIG-IP DNS vulnerability\n * **CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036** (CVSS score: 7.5) - Traffic Management Microkernel vulnerabilities\n\nAdditionally, F5 has also patched a number of flaws that range from directory traversal vulnerability and SQL injection to open redirect vulnerability and cross-site request forgery, as well as a MySQL database flaw that results in the database consuming more storage space than expected when brute-force protection features of the firewall are enabled.\n\nWith F5 devices often becoming [juicy](<https://thehackernews.com/2020/07/f5-big-ip-application-security.html>) [targets](<https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html>) for active exploitation attempts by threat actors, it's highly recommended that users and administrators install updated software or apply the necessary mitigations as soon as possible. \n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-26T11:51:00", "type": "thn", "title": "F5 Releases Critical Security Patch for BIG-IP and BIG-IQ Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23025", "CVE-2021-23026", "CVE-2021-23027", "CVE-2021-23028", "CVE-2021-23029", "CVE-2021-23030", "CVE-2021-23031", "CVE-2021-23032", "CVE-2021-23033", "CVE-2021-23034", "CVE-2021-23035", "CVE-2021-23036", "CVE-2021-23037"], "modified": "2021-08-27T07:48:49", "id": "THN:AB6AF941A4E7A9700ED2262D095F402F", "href": "https://thehackernews.com/2021/08/f5-releases-critical-security-patches.html", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}]}
F5 BIG-IP TMUI XSS vulnerability
