F5F5:K40084114K40084114 : Overview of F5 vulnerabilities (January 2022)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
58.1%
Security Advisory Description
On January 19, 2022, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory.
- High CVEs
- Medium CVEs
- Low CVEs
- Security exposures
High CVEs
| CVE | Security advisory description | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|---|
| CVE-2022-23008 | An authenticated attacker with access to the ‘user’ or ‘admin’ role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. | 8.7 | NGINX Controller API Management | 3.18.0 - 3.19.0 | 3.19.1 |
| CVE-2022-23009 | An authenticated administrative role user on a BIG-IQ-managed BIG-IP device can access other BIG-IP devices managed by the same BIG-IQ system. | 8.0 | BIG-IQ Centralized Management | 8.0.0 | 8.1.0 |
| CVE-2022-23010 | When a FastL4 profile and an HTTP profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 | |
| 15.1.0 - 15.1.4 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.0 - 13.1.4 | |||||
| 12.1.0 - 12.1.5 | |||||
| 11.6.1 - 11.6.5 | 16.1.0 | ||||
| 15.1.4.1 | |||||
| 14.1.4.4 | |||||
| 13.1.5 | |||||
| CVE-2022-23011 | On certain hardware BIG-IP platforms, virtual servers may stop responding while processing TCP traffic due to an issue in the SYN Cookie Protection feature. | 7.5 | BIG-IP (all modules) | ||
| 15.1.0 - 15.1.3 | |||||
| 14.1.0 - 14.1.2 | 16.0.0 | ||||
| 15.1.4 | |||||
| 14.1.3 | |||||
| CVE-2022-23012 | When the HTTP/2 profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 | BIG-IP (all modules) | ||
| 15.1.0 - 15.1.4 | |||||
| 14.1.0 - 14.1.4 | 16.0.0 | ||||
| 15.1.4.1 | |||||
| 14.1.4.5 | |||||
| CVE-2022-23013 | A DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility, which allows an attacker to execute JavaScript in the context of the current logged-in user. | 7.5 | BIG-IP (DNS, GTM) | ||
| 15.1.0 - 15.1.3 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.0 - 13.1.4 | |||||
| 12.1.0 - 12.1.6 | |||||
| 11.6.1 - 11.6.5 | 16.1.0 | ||||
| 15.1.4 | |||||
| 14.1.4.4 | |||||
| 13.1.5 | |||||
| CVE-2022-23014 | When BIG-IP APM portal access is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 | BIG-IP (APM) | ||
| 16.1.0 - 16.1.1 | |||||
| 15.1.0 - 15.1.4 | 17.0.0 | ||||
| 16.1.2 | |||||
| 15.1.4.1 | |||||
| CVE-2022-23015 | When a Client SSL profile is configured on a virtual server with Client Certificate Authentication set to request/require and Session Ticket enabled and configured, processing SSL traffic can cause an increase in memory resource utilization. | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 | |
| 15.1.0 - 15.1.4 | |||||
| 14.1.2.6 - 14.1.4 | 16.1.0 | ||||
| 15.1.4.1 | |||||
| 14.1.4.5 | |||||
| CVE-2022-23016 | When BIG-IP SSL Forward Proxy with TLS 1.3 is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 | BIG-IP (all modules) | ||
| 16.0.0 - 16.1.1 | |||||
| 15.1.0 - 15.1.4 | 17.0.0 | ||||
| 16.1.2 | |||||
| 15.1.4.1 | |||||
| CVE-2022-23017 | When a virtual server is configured with a DNS profile with the Rapid Response Mode setting enabled and is configured on a BIG-IP system, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 | |
| 15.1.0 - 15.1.4 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.0 - 13.1.4 | 16.1.0 | ||||
| 15.1.4.1 | |||||
| 14.1.4.5 | |||||
| 13.1.5 | |||||
| CVE-2022-23018 | When a virtual server is configured with both HTTP protocol security and HTTP Proxy Connect profiles, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 | BIG-IP (AFM) | ||
| 16.0.0 - 16.1.1 | |||||
| 15.1.0 - 15.1.4 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.3.4 - 13.1.4 | 17.0.0 | ||||
| 16.1.2 | |||||
| 15.1.4.1 | |||||
| 14.1.4.5 | |||||
| 13.1.5 | |||||
| CVE-2022-23019 | When a message routing type virtual server is configured with both Diameter Session and Router Profiles, undisclosed traffic can cause an increase in memory resource utilization. | 7.5 | BIG-IP (all modules) | 16.1.0 - 16.1.1 | |
| 15.1.0 - 15.1.4 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.0 - 13.1.4 | |||||
| 12.1.0 - 12.1.6 | 16.1.2 | ||||
| 15.1.4.1 | |||||
| 14.1.4.4 | |||||
| 13.1.5 | |||||
| CVE-2022-23020 | When the ‘Respond on Error’ setting is enabled on the Request Logging profile and configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 | BIG-IP (all modules) | ||
| 16.1.0 - 16.1.1 | 17.0.0 | ||||
| 16.1.2 | |||||
| CVE-2022-23021 | When any of the following configurations are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate: HTTP redirect rule in an LTM policy, BIG-IP APM Access Profile, and Explicit HTTP Proxy in HTTP Profile. | 7.5 | BIG-IP (all modules) | ||
| 16.1.0 - 16.1.1 | 17.0.0 | ||||
| 16.1.2 | |||||
| CVE-2022-23022 | When an HTTP profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 | BIG-IP (all modules) | ||
| 16.1.0 - 16.1.1 | 17.0.0 | ||||
| 16.1.2 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Medium CVEs
| CVE | Security advisory description | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|---|
| CVE-2022-23023 | Undisclosed requests by an authenticated iControl REST user can cause an increase in memory resource utilization. | 6.5 | BIG-IP (all modules) | ||
| 16.1.0 - 16.1.2 | |||||
| 15.1.0 - 15.1.4 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.0 - 13.1.4 | |||||
| 12.1.0 - 12.1.5 | 17.0.0 | ||||
| 16.1.2.1 | |||||
| 15.1.5 | |||||
| 14.1.4.5 | |||||
| 13.1.5 | |||||
| BIG-IQ Centralized Management | 8.0.0 - 8.2.0 | ||||
| 7.0.0 - 7.1.0 | None | ||||
| CVE-2022-23024 | When the IPsec application layer gateway (ALG) logging profile is configured on an IPsec ALG virtual server, undisclosed IPsec traffic can cause the Traffic Management Microkernel (TMM) to terminate. | 5.9 | BIG-IP (AFM) | ||
| 15.1.0 - 15.1.4 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.0 - 13.1.4 | 16.1.0 | ||||
| 15.1.4.1 | |||||
| 14.1.4.2 | |||||
| 13.1.5 | |||||
| CVE-2022-23025 | When a SIP ALG profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 5.9 | BIG-IP (all modules) | 16.1.0 | |
| 15.1.0 - 15.1.3 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.0 - 13.1.4 | 16.1.1 | ||||
| 15.1.4 | |||||
| 14.1.4.4 | |||||
| 13.1.5 | |||||
| CVE-2022-23026 | An authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization. | 5.4 | BIG-IP (Advanced WAF, ASM) | ||
| 16.0.0 - 16.1.1 | |||||
| 15.1.0 - 15.1.4 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.0 - 13.1.4 | |||||
| 12.1.0 - 12.1.6 | 17.0.0 | ||||
| 16.1.2 | |||||
| 15.1.4.1 | |||||
| 14.1.4.5 | |||||
| 13.1.5 | |||||
| CVE-2022-23027 | When a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are configured on the same virtual server, undisclosed requests can cause the virtual server to stop processing new client connections. | 5.3 | BIG-IP (all modules) | ||
| 15.1.0 - 15.1.3 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.3.6 - 13.1.4 | |||||
| 12.1.5.3 - 12.1.6 | |||||
| 11.6.5.2 | 16.0.0 | ||||
| 15.1.4 | |||||
| 14.1.4.4 | |||||
| 13.1.5 |
CVE-2022-23028| When global AFM SYN cookie protection (TCP Half Open flood vector) is activated in the AFM Device Dos or DOS profile, certain types of TCP connections will fail.| 5.3| BIG-IP (AFM)|
15.1.0 - 15.1.4
14.1.0 - 14.1.4
13.1.0 - 13.1.4| 16.1.0
15.1.5
14.1.4.5
13.1.5
CVE-2022-23029| When a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization.| 5.3| BIG-IP (all modules)|
15.1.0 - 15.1.4
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 16.1.0
15.1.4.1
14.1.4.4
13.1.5
CVE-2022-23030| When the BIG-IP Virtual Edition (VE) uses the ixlv driver (which is used in SR-IOV mode and requires Intel X710/XL710/XXV710 family of network adapters on the Hypervisor) and TCP Segmentation Offload configuration is enabled, undisclosed requests may cause an increase in CPU resource utilization.| 5.3| BIG-IP (all modules)|
16.1.0 - 16.1.1
15.1.0 - 15.1.4
14.1.0 - 14.1.4
13.1.0 - 13.1.4| 17.0.0
16.1.2
15.1.4.1
14.1.4.5
13.1.5
CVE-2022-23031| An XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests.| 4.9| BIG-IP (Advanced WAF, ASM, FPS)|
16.0.0 - 16.1.0
15.1.0 - 15.1.3
14.1.0 - 14.1.4| 17.0.0
16.1.1
15.1.4
14.1.4.4
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Low CVEs
| CVE | Security advisory description | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|---|
| CVE-2022-23032 | When proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows are vulnerable to DNS rebinding attack. | 3.1 | BIG-IP (APM) | 16.0.0 - 16.1.2 | |
| 15.1.0 - 15.1.5 | |||||
| 14.1.0 - 14.1.4 | |||||
| 13.1.0 - 13.1.4 | |||||
| 12.1.0 - 12.1.6 | |||||
| 11.6.1 - 11.6.5 | 16.1.2.2 | ||||
| 15.1.5.1 | |||||
| 14.1.4.5 | |||||
| 13.1.5 | |||||
| BIG-IP APM Clients | 7.2.1 - 7.2.1.3 | ||||
| 7.1.6 - 7.1.9 | 7.2.1.4, 7.2.2 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Security exposures
| Bug IDs | Security advisory description | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|
| [ID 996381 | ||||
| WAFMC-4682](<https://my.f5.com/manage/s/article/K41503304>) | The F5 Advanced Web Application Firewall (Advanced WAF), BIG-IP ASM, and NGINX App Protect systems attack signature check may fail to match attack signature 200000128, as expected, for certain undisclosed requests. | BIG-IP (ASM) | ||
| 16.1.0 | ||||
| 16.0.0 - 16.0.1 | ||||
| 15.1.0 - 15.1.3 | ||||
| 14.1.0 - 14.1.4 | ||||
| 13.1.0 - 13.1.4 | ||||
| 12.1.0 - 12.1.6 | ||||
| 11.6.1 - 11.6.5 | 17.0.0 | |||
| 16.1.1 | ||||
| 16.0.1.2 | ||||
| 15.1.4 | ||||
| 14.1.4.4 | ||||
| 13.1.4.1 | ||||
| NGINX App Protect | 3.0.0 - 3.6.0 | |||
| 2.0.0 - 2.3.0 | ||||
| 1.0.0 - 1.3.0 | 3.7.0 | |||
| [ID 1019853 | ||||
| WAFMC-4672](<https://my.f5.com/manage/s/article/K30911244>) | The F5 Advanced Web Application Firewall (Advanced WAF), BIG-IP ASM, and NGINX App Protect attack signature check may fail to detect and block certain HTTP requests when some signatures are disabled on the security policy and wildcard header. | BIG-IP (Advanced WAF, ASM) | 16.1.0 - 16.1.1 | |
| 15.1.0 - 15.1.4 | ||||
| 14.1.0 - 14.1.4 | ||||
| 13.1.0 - 13.1.4 | ||||
| 12.1.0 - 12.1.6 | ||||
| 11.6.1 - 11.6.5 | 16.1.2 | |||
| 15.1.4.1 | ||||
| 14.1.4.5 | ||||
| 13.1.5 | ||||
| NGINX App Protect | 3.0.0 - 3.6.0 | |||
| 2.0.0 - 2.3.0 | ||||
| 1.0.0 - 1.3.0 | 3.7.0 | |||
| ID 1035853 | When transparent Domain Name System (DNS) cache is configured on a virtual server, undisclosed Extension Mechanisms for DNS (EDNS0) queries can cause the BIG-IP system to send a large volume of User Datagram Protocol (UDP) traffic on the server side. | BIG-IP (DNS, GTM, LTM) | 16.1.0 - 16.1.1 | |
| 15.1.0 - 15.1.4 | ||||
| 14.1.0 - 14.1.4 | ||||
| 13.1.0 - 13.1.4 | ||||
| 12.1.0 - 12.1.6 | ||||
| 11.6.1 - 11.6.5 | 16.1.2 | |||
| 15.1.5 | ||||
| 14.1.4.5 | ||||
| 13.1.5 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
58.1%