On March 10th, 2021, F5 announced twenty-one (21) CVEs, including four Critical vulnerabilities. This document is intended to serve as an overview of these vulnerabilities to help determine the impact on your F5 devices. The details of each issue can be found in the associated Security Advisory.
You may also wish to review the Frequently Asked Questions documents:
The twenty-one (21) related vulnerabilities are as follows:
Critical CVEs
The iControl REST interface has an unauthenticated remote command execution vulnerability.
CVSS score: 9.8 (Critical)
When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 9.9 (Critical)
Undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE).
CVSS score: 9.0 (Critical)
A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.
CVSS score: 9.0 (Critical)
Because of the severity of the Critical vulnerabilities, F5 recommends that all customers install fixed software as soon as possible. All above vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. CVE-2021-22986 is also fixed in BIG-IQ 8.0.0, 7.1.0.3, and 7.0.0.2.
High CVEs
TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 8.8 (High)
When running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 8.0 (High)
DOM-based XSS on DoS Profile properties page.
CVSS Score: 7.5 High
Undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. This vulnerability is due to an incomplete fix for CVE-2020-5948.
CVSS Score: 7.5 High
BIG-IQ high availability (HA) when using a Quorum device for automatic failover does not implement any form of authentication with the Corosync daemon.
CVSS Score: 8.2 High
When set up for auto failover, a BIG-IQ Data Collection Device (DCD) cluster member that receives an undisclosed message may cause the corosync process to abort. This behavior may lead to a denial-of-service (DoS) and impact the stability of a BIG-IQ high availability (HA) cluster.
CVSS Score: 7.5 High
BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted.
CVSS Score: 8.6 High
Medium CVEs
On systems with Advanced WAF or BIG-IP ASM provisioned, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS Score: 6.6 Medium
SYN flood protection thresholds are not enforced in secure network address translation (SNAT) listeners.
CVSS Score: 5.3 Medium
The BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed.
CVSS Score: 5.9 Medium
If the tmm.http.rfc.enforcement BigDB key is enabled in a BIG-IP system, or the Bad host header value is checked in the AFM HTTP security profile associated with a virtual server, in rare instances, a specific sequence of malicious requests may cause TMM to restart.
CVSS Score: 5.9 Medium
The upload functionality in BIG-IP Advanced WAF and ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint.
CVSS Score: 4.3 Medium
The session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. Addressing this issue requires both the client and server fixes.
CVSS Score: 6.1 Medium
The Traffic Management Microkernel (TMM) process may produce a core file when undisclosed MPTCP traffic passes through a standard virtual server.
CVSS Score: 5.9 Medium
Multipath TCP (MPTCP) forwarding flows may be created on standard virtual servers without MPTCP enabled in the applied TCP profile.
CVSS Score: 5.9 Medium
When using a Quorum device for BIG-IQ high availability (HA) for automatic failover, BIG-IQ does not make use of Transport Layer Security (TLS) with the Corosync protocol.
CVSS Score: 6.5 Medium
Undisclosed BIG-IQ pages have a reflected cross-site scripting vulnerability.
CVSS Score: 5.4 Medium
The following table provides key information for each vulnerability to assist in determining which are pertinent to your network.
CVE | Severity | CVSS score | Affected products | Affected versions | Fixed versions | Appliance mode / Non-Appliance mode4 | Control plane / Data plane5 |
---|---|---|---|---|---|---|---|
CVE-2021-22986 | Critical | 9.8 | BIG-IP (All modules) | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3.1 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | 16.0.1.12 | ||||||
15.1.2.1 | |||||||
14.1.42 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | Both | Control plane – iControl REST | |||||
BIG-IQ | 7.1.0-7.1.0.2 | ||||||
7.0.0-7.0.0.1 | |||||||
6.0.0-6.1.0 | 8.0.0 | ||||||
7.1.0.3 | |||||||
7.0.0.2 | N/A | Control plane – iControl REST | |||||
CVE-2021-22987 | Critical | 9.9 | BIG-IP (All modules) | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3.1 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | |||||||
11.6.1-11.6.5.2 | 16.0.1.12 | ||||||
15.1.2.1 | |||||||
14.1.42 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | |||||||
11.6.5.3 | Appliance mode | Control plane - TMUI | |||||
CVE-2021-22991 | Critical | 9.0 | BIG-IP (All Modules)3 | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3.1 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | 16.0.1.12 | ||||||
15.1.2.1 | |||||||
14.1.42 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | Both | Data plane | |||||
CVE-2021-22992 | Critical | 9.0 | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3.1 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | |||||||
11.6.1-11.6.5.2 | 16.0.1.12 | ||||||
15.1.2.1 | |||||||
14.1.42 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | |||||||
11.6.5.3 | Both | Data plane | |||||
CVE-2021-22988 | High | 8.8 | BIG-IP (All Modules) | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3.1 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | |||||||
11.6.1-11.6.5.2 | 16.0.1.12 | ||||||
15.1.2.1 | |||||||
14.1.42 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | |||||||
11.6.5.3 | Non-Appliance Mode | Control plane - TMUI | |||||
CVE-2021-22989 | High | 8.0 | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3.1 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | |||||||
11.6.1-11.6.5.2 | 16.0.1.12 | ||||||
15.1.2.1 | |||||||
14.1.42 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | |||||||
11.6.5.3 | Appliance mode | Control plane - TMUI | |||||
CVE-2021-22993 | High | 7.5 | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 | |||
15.1.0-15.1.1 | |||||||
14.1.0-14.1.3 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | 16.0.1.12 | ||||||
15.1.2 | |||||||
14.1.3.1 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | Both | Control plane - TMUI | |||||
CVE-2021-22994 | High | 7.5 | BIG-IP (All Modules) | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3.1 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | |||||||
11.6.1-11.6.5.2 | 16.0.1.12 | ||||||
15.1.2.1 | |||||||
14.1.42 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | |||||||
11.6.5.3 | Non-Appliance Mode | Control Plane – iControl REST | |||||
CVE-2021-22995 | High | 8.2 | BIG-IQ | 7.0.0-7.1.0 | |||
6.0.0-6.1.0 | 8.0.0 | N/A | Control Plane - BIG-IQ high availability | ||||
CVE-2021-22996 | High | 7.5 | BIG-IQ | 7.0.0-7.1.0 | 8.0.0 | N/A | Control Plane - BIG-IQ Data Collection |
CVE-2021-22997 | High | 8.6 | BIG-IQ | 7.0.0-7.1.0 | |||
6.0.0-6.1.0 | 8.0.0 | N/A | Control Plane - BIG-IQ high availability | ||||
CVE-2021-22990 | Medium | 6.6 | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3.1 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | |||||||
11.6.1-11.6.5.2 | 16.0.1.12 | ||||||
15.1.2.1 | |||||||
14.1.42 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | |||||||
11.6.5.3 | Non-Appliance mode | Control plane - TMUI | |||||
CVE-2021-22998 | Medium | 5.3 | BIG-IP (All Modules) | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3.1 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | |||||||
11.6.1-11.6.5.2 | 16.0.1.12 | ||||||
15.1.2.1 | |||||||
14.1.42 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | |||||||
11.6.5.3 | Both | Data Plane - SNAT | |||||
CVE-2021-22999 | Medium | 5.9 | BIG-IP (All Modules) | 15.0.0-15.0.1 | |||
14.1.0-14.1.3 | 16.0.0 | ||||||
15.1.0 | |||||||
14.1.42 | Both | Data Plane – HTTP/2 Profile | |||||
CVE-2021-23000 | Medium | 5.9 | BIG-IP (All Modules) | ||||
13.1.3.4-13.1.3.6 | |||||||
12.1.5.2 | 14.0.0 | ||||||
13.1.4 | |||||||
12.1.5.31 | Both | Data Plane – TMM | |||||
CVE-2021-23001 | Medium | 4.3 | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3.1 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | |||||||
11.6.1-11.6.5.2 | 16.0.1.12 | ||||||
15.1.2.1 | |||||||
14.1.42 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | |||||||
11.6.5.3 | Both | Control Plane – iControl REST | |||||
CVE-2021-23002 | Medium | 6.1 | BIG-IP APM | 16.0.0-16.0.1 | |||
15.1.0-15.1.2 | |||||||
14.1.0-14.1.3 | |||||||
13.1.0-13.1.3 | |||||||
12.1.0-12.1.5 | |||||||
11.6.1-11.6.5 | 16.0.1.12,6 | ||||||
15.1.2.16,7 | |||||||
14.1.42,6 | |||||||
13.1.3.66 | Both | Data Plane – APM VPN | |||||
BIG-IP APM Clients | 7.2.1 | ||||||
7.1.9 | |||||||
7.1.5-7.1.8 | 7.2.1.1 | ||||||
7.1.9.8 | |||||||
7.1.8.5 | N/A | N/A | |||||
CVE-2021-23003 | Medium | 5.9 | BIG-IP (All Modules) | 16.0.0-16.0.1 | |||
15.1.0-15.1.1 | |||||||
14.1.0-14.1.3 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | |||||||
11.6.1-11.6.5.2 | 16.0.1.12 | ||||||
15.1.2 | |||||||
14.1.3.1 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | |||||||
11.6.5.3 | Both | Data Plane – TCP Profile | |||||
CVE-2021-23004 | Medium | 5.9 | BIG-IP (All Modules) | 16.0.0-16.0.1 | |||
15.1.0-15.1.1 | |||||||
14.1.0-14.1.3 | |||||||
13.1.0-13.1.3.5 | |||||||
12.1.0-12.1.5.2 | |||||||
11.6.1-11.6.5.2 | 16.0.1.12 | ||||||
15.1.2 | |||||||
14.1.3.1 | |||||||
13.1.3.6 | |||||||
12.1.5.31 | |||||||
11.6.5.3 | Both | Data Plane – TCP Profile | |||||
CVE-2021-23005 | Medium | 6.5 | BIG-IQ | 7.0.0-7.1.0 | |||
6.0.0-6.1.0 | 8.0.0 | N/A | Control Plane - BIG-IQ high availability | ||||
CVE-2021-23006 | Medium | 5.4 | BIG-IQ | 7.0.0-7.1.0 | |||
6.0.0-6.1.0 | 8.0.0 | N/A | Control Plane - BIG-IQ REST services |
1An issue with the bigdprocess has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3.
2An issue with the Traffic Management Microkernel (TMM) process has been discovered in versions 16.0.1.1 and 14.1.4. For more information, refer to K37451543: TMM vulnerability CVE-2021-23007.
3Specific functionality is affected, refer to K56715231: TMM Buffer Overflow vulnerability CVE-2021-22991.
4For information about Appliance mode, refer to K12815: Overview of Appliance mode.
5The data plane relates to traffic processing (TMM tasks) while the control plane relates to computing, storing, and processing information (non-TMM tasks).
6In BIG-IP APM 13.1.0 and later, the APM Clients components can be updated independently from BIG-IP software. For more information, refer to K52547540: Updating BIG-IP Edge Client for the BIG-IP APM system. Note also that when you upgrade or update to BIG-IP 13.1.3.6, 14.1.4, 15.1.2.1, or 16.0.1.1, VPN users may encounter issues described in the following articles: K39454429: Browser network access VPN clients fail to establish a VPN connection and K25173042: Browser network access VPN clients may not establish the first time after an APM Clients update.
7BIG-IP APM 15.1.2.1 includes the server fix but does not include the client fix. After upgrading or updating to BIG-IP 15.1.2.1, you must also update APM Clients to a version listed in the Fixes introduced in column and install the fix on the client side. To install the fix on the client side, you can setComponent UpdatetoYesin the affected Connectivity Profile OR redeploy and install the browserVPN helper application on all users’ client machines. For more information, refer to K81649656: Overview of APM Clients update on BIG-IP APM.