F5F5:K14649763K14649763 : Overview of F5 vulnerabilities (August 2022)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
57.4%
Security Advisory Description
On August 3, 2022, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory.
Distributed Cloud and Managed Services
| Service | Status |
|---|---|
| F5 Distributed Cloud Services | Does not affect or has been resolved |
| Silverline | Does not affect or has been resolved |
| Threat Stack | Does not affect or has been resolved |
- High CVEs
- Medium CVEs
- Low CVEs
- Security Exposures
High CVEs
| Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|
| K11010341: Authenticated iControl REST in Appliance mode vulnerability CVE-2022-35243 | 8.7 - Appliance mode only | BIG-IP (all modules) | 16.1.0 - 16.1.2 | |
| 15.1.0 - 15.1.5 | ||||
| 14.1.0 - 14.1.4 | ||||
| 13.1.0 - 13.1.5 | 17.0.0 | |||
| 16.1.3 | ||||
| 15.1.5.1 | ||||
| 14.1.5 | ||||
| K55580033: iControl REST vulnerability CVE-2022-35728 | 8.1 | BIG-IP (all modules) | 17.0.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.5 | ||||
| 13.1.0 - 13.1.5 | 17.1.0 | |||
| 17.0.0.1 | ||||
| 16.1.3.1 | ||||
| 15.1.6.1 | ||||
| 14.1.5.1 | ||||
| BIG-IQ Centralized Management | 8.0.0 - 8.1.0 | |||
| 7.0.0 - 7.1.0 | 8.2.0 | |||
| K93504311: TMM vulnerability CVE-2022-34655 | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 | |
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.4 | 17.0.0 | |||
| 16.1.0 | ||||
| 16.0.1.1 | ||||
| 15.1.6.1 | ||||
| 14.1.5 | ||||
| K58235223: BIG-IP APM access policy vulnerability CVE-2022-35245 | 7.5 | BIG-IP (APM) | 16.1.0 - 16.1.3 | |
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.5 | 17.0.0 | |||
| 16.1.3.1 | ||||
| 15.1.6.1 | ||||
| 14.1.5.1 | ||||
| K28405643: BIG-IP Message Routing MQTT vulnerability CVE-2022-35240 | 7.5 | BIG-IP (all modules) | 16.1.0 - 16.1.2 | |
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.4 | 17.0.0 | |||
| 16.1.2.2 | ||||
| 15.1.6.1 | ||||
| 14.1.5 | ||||
| K79933541: HTTP2 profile vulnerability CVE-2022-35236 | 7.5 | BIG-IP (all modules) | 16.1.0 - 16.1.2 | |
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.4 | 17.0.0 | |||
| 16.1.2.2 | ||||
| 15.1.6.1 | ||||
| 14.1.5 | ||||
| K59197053: BIG-IP TLS1.3 iRule vulnerability CVE-2022-34651 | 7.5 | BIG-IP (all modules) | 16.1.0 - 16.1.3 | |
| 15.1.0 - 15.1.6 | 17.0.0 | |||
| 16.1.3.1 | ||||
| 15.1.6.1 | ||||
| K16852653: TMM vulnerability CVE-2022-32455 | 7.5 | BIG-IP (all modules) | 16.1.0 - 16.1.2 | |
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.4 | ||||
| 13.1.0 - 13.1.5 | 17.0.0 | |||
| 16.1.2.2 | ||||
| 15.1.6.1 | ||||
| 14.1.5 | ||||
| K66510514: TMM vulnerability CVE-2022-34862 | 7.5 | BIG-IP (all modules) | 16.1.0 - 16.1.3 | |
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.4 | ||||
| 13.1.0 - 13.1.5 | 17.0.0 | |||
| 16.1.3.1 | ||||
| 15.1.6.1 | ||||
| 14.1.5 | ||||
| K52534925: BIG-IP APM and SSL Orchestrator vulnerability CVE-2022-33203 | 7.5 | BIG-IP (APM and SSL Orchestrator) | 16.1.0 - 16.1.2 | |
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.4 | 17.0.0 | |||
| 16.1.3 | ||||
| 15.1.6.1 | ||||
| 14.1.5 | ||||
| K90024104: BIG-IP HTTP MRF vulnerability CVE-2022-35272 | 7.5 | BIG-IP (all modules) | 17.0.0 | |
| 16.1.0 - 16.1.3 | 17.0.0.1 | |||
| 16.1.3.1 | ||||
| K13213418: BIG-IP monitor configuration vulnerability CVE-2022-35735 | 7.2 | BIG-IP (all modules) | 16.1.0 - 16.1.3 | |
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.5 | ||||
| 13.1.0 - 13.1.5 | 17.0.0 | |||
| 16.1.3.1 | ||||
| 15.1.6.1 | ||||
| 14.1.5.1 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Medium CVEs
| Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|
| K34893234: BIG-IP APM Appliance mode vulnerability CVE-2022-31473 | 6.8 - Appliance mode only | BIG-IP (APM) | 16.1.0 | |
| 15.1.0 - 15.1.3 | 17.0.0 | |||
| 16.1.1 | ||||
| 15.1.4 | ||||
| K80970653: BIG-IP iRules vulnerability CVE-2022-33962 | 6.7 | BIG-IP (all modules) | 17.0.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.5 | ||||
| 13.1.0 - 13.1.5 | 17.1.0 | |||
| 17.0.0.1 | ||||
| 16.1.3.1 | ||||
| 15.1.6.1 | ||||
| 14.1.5.1 | ||||
| K37080719: NGINX Instance Manager vulnerability CVE-2022-35241 | 6.5 | NGINX Instance Manager | 2.0.0 - 2.3.0 | |
| 1.0.0 - 1.0.4 | 2.3.1 | |||
| K52125139: NGINX Ingress Controller vulnerability CVE-2022-30535 | 6.5 | NGINX Ingress Controller | 2.0.0 - 2.2.0 | |
| 1.0.0 - 1.12.4 | 2.3.0 | |||
| K34511555: BIG-IP AWS vulnerability CVE-2022-34844 | 5.9 | BIG-IP (all modules) | 16.1.0 - 16.1.3 | |
| 15.1.0 - 15.1.6 | ||||
| 17.0.0 | ||||
| 16.1.3.1 | ||||
| 15.1.6.1 | ||||
| BIG-IQ Centralized Management | 8.0.0 - 8.2.0 | None | ||
| K38893457: BIG-IP DNS TMUI vulnerability CVE-2022-33947 | 5.4 | BIG-IP (DNS) | 16.0.0 - 16.1.2 | |
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.4 | ||||
| 13.1.0 - 13.1.5 | 17.0.0 | |||
| 16.1.3 | ||||
| 15.1.6.1 | ||||
| 14.1.5 | ||||
| K25046752: Traffic Intelligence feeds vulnerability CVE-2022-34865 | 4.8 | BIG-IP (all modules) | 15.1.0 - 15.1.6 | |
| 14.1.0 - 14.1.4 | ||||
| 13.1.0 - 13.1.5 | 16.1.0 | |||
| 15.1.6.1 | ||||
| 14.1.5 | ||||
| K50310001: BIG-IP and BIG-IQ iControl SOAP vulnerability CVE-2022-34851 | 4.3 | BIG-IP (all modules) | 17.0.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.5 | ||||
| 13.1.0 - 13.1.5 | 17.1.0 | |||
| 17.0.0.1 | ||||
| 16.1.3.1 | ||||
| 15.1.6.1 | ||||
| 14.1.5.1 | ||||
| BIG-IQ Centralized Management | 8.0.0 - 8.2.0 | None |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Low CVEs
| Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|
| K23465404: BIG-IP LTM and APM NTLM vulnerability CVE-2022-33968 | 3.7 | BIG-IP (all modules) | 17.0.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.5 | ||||
| 13.1.0 - 13.1.5 | 17.1.0 | |||
| 17.0.0.1 | ||||
| 16.1.3.1 | ||||
| 15.1.6.1 | ||||
| 14.1.5.1 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Security Exposures
| Security Advisory (Exposure) | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|
| K22251611: Attack signature check security exposure | BIG-IP (ASM/AWAF) | 16.1.0 - 16.1.2 | |
| 15.1.0 - 15.1.6 | |||
| 14.1.0 - 14.1.4 | |||
| 13.1.0 - 13.1.5 | 17.0.0 | ||
| 16.1.2.2 | |||
| 15.1.6.1 | |||
| 14.1.5 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
57.4%