Lucene search

K
f5F5F5:K50974556
HistoryAug 24, 2021 - 12:00 a.m.

K50974556 : Overview of F5 vulnerabilities (August 2021)

2021-08-2400:00:00
my.f5.com
68

EPSS

0.002

Percentile

61.1%

Security Advisory Description

On August 24, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory.

High CVEs

CVSS score: 7.2 (High)

An authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility.

CVSS score: 7.5 (High)

BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.

CVSS score: 7.5 (High)

A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

CVSS score: 7.5 (High)

When JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate.

CVSS score: 7.5 (High)

Insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility.

CVSS score: 7.5 (High)

When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.

CVSS score: 8.8 (High) / 9.9 (Appliance Mode Only)
Note: The limited number of customers using Appliance Mode will have Scope: Changed, which raises the CVSSv3 score to 9.9. For information on Appliance mode, refer to K12815: Overview of Appliance mode.

An authenticated user may perform a privilege escalation on BIG-IP Advanced WAF and ASM TMUI.

CVSS score: 7.5 (High)

When a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the Traffic Management Microkernel (TMM) to terminate.

CVSS score: 7.5 (High)

When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.

CVSS score: 7.5 (High)

When a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.

CVSS score: 7.5 (High)

When an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate.

CVSS score: 7.5 (High)

When a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

CVSS score: 7.5 (High)

A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

Medium CVEs

CVSS score: 6.8 (Medium)

A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

CVSS score: 6.5 (Medium)

When IPSec is configured on a BIG-IP system, undisclosed requests from an authorized remote (IPSec) peer, which already has a negotiated Security Association, can cause the Traffic Management Microkernel (TMM) to terminate.

CVSS score: 5.4 (Medium)

A SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This issue is exposed only when BIG-IP AFM is provisioned.

CVSS score: 4.7 (Medium)

A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user.

CVSS score: 5.3 (Medium)

When an HTTP profile is configured on a virtual server, undisclosed requests can cause a significant increase in system resource utilization.

CVSS score: 4.3 (Medium)

A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to access arbitrary files.

CVSS score: 5.9 (Medium)

When the Intel QuickAssist Technology (QAT) compression driver is used on affected BIG-IP hardware and BIG-IP Virtual Edition (VE) platforms, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.

CVSS score: 5.3 (Medium)

When an SCTP profile with multiple paths is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

CVSS score: 4.9 (Medium)

When a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs.

CVSS score: 5.3 (Medium)

When BIG-IP APM performs Online Certificate Status Protocol (OCSP) verification of a certificate that contains Authority Information Access (AIA), undisclosed requests may cause an increase in memory use.

CVSS score: 5.9 (Medium)

When GPRS Tunneling Protocol (GTP) iRules commands or a GTP profile is configured on a virtual server, undisclosed GTP messages can cause the Traffic Management Microkernel (TMM) to terminate.

CVSS score: 5.3 (Medium)

When the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS).

CVSS score: 5.9 (Medium)

When a cross-site request forgery (CSRF)-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the BIG-IP ASM bd process to terminate.

CVSS score: 5.9 (Medium)

When the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP on Amazon Web Services (AWS) systems, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This is due to an incomplete fix for CVE-2020-5862.

CVSS score: 6.1 (Medium)

An open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious user to build an open redirect URI.

Low CVEs

CVSS score: 3.7 (Low)

When the brute force protection feature of ASM/Adv WAF is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database.

Security Exposures

The BIG-IP system does not properly verify the revocation of intermediate CA certificates when querying Online Certificate Status Protocol (OCSP) servers and may allow unauthorized connections.

F5 Advanced Web Application Firewall (WAF) and BIG-IP ASM brute force mitigation may fail.

The BIG-IP Advanced WAF and ASM systems may fail to correctly enforce HTML form login pages when the request contains an incorrectly formatted parameter. This issue occurs when the security policy includes a configuration that enables brute force protection for the HTML form login page.

The attack signature check may fail to detect and block malicious request containing certain decimal-coded characters.

The attack signature check may fail to detect and block illegal requests.

The BIG-IP ASM system may not properly perform attack signature checks on request and response content.

The following table provides key information for each vulnerability to assist in determining which are pertinent to your network.

Note: For security and sustainability, your best update choice is the latest maintenance release of a Long-Term Stability Release version.

  • Long-Term Stability Release versions have 1 for their minor release number (x.1.x), and they are not available for a period of time after a major release (x.0.x).
  • The latest maintenance release of a Long-Term Stability Release version (x.1.latest) can be between x.1.0 and x.1.n.

Updating to maintenance or point releases (x.1.x.x) for a Long-Term Stability Release version does not introduce changes in existing default behavior.

F5 recommends that you update or upgrade your BIG-IP appliances to at least BIG-IP 14.1.0 and your BIG-IP VEs to at least BIG-IP 15.1.0. For more information, see the release notes for BIG-IP 14.1.0 and BIG-IP 15.1.0.

High CVEs

CVE / Bug ID Severity CVSS score Affected products Affected versions1 Fixes introduced in
CVE-2021-23025 High 7.2 BIG-IP (all modules) 15.0.0 - 15.1.0
14.1.0 - 14.1.3
13.1.0 - 13.1.3
12.1.0 - 12.1.6
11.6.1 - 11.6.5 16.0.0
15.1.0.5
14.1.3.1
13.1.3.5
CVE-2021-23026 High 7.5 BIG-IP (all modules) 16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 16.1.0
16.0.1.2
15.1.3
14.1.4.2
13.1.4.1
BIG-IQ 8.0.0 - 8.1.0
7.0.0 - 7.1.0
6.0.0 - 6.1.0 None
CVE-2021-23027 High 7.5 BIG-IP (all modules) 16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.4 16.1.0
16.0.1.2
15.1.3.1
14.1.4.3
CVE-2021-23028 High 7.5 BIG-IP (Advanced WAF, ASM) 16.0.1
15.1.1 - 15.1.3
14.1.3.1 - 14.1.4.1
13.1.3.5 - 13.1.3.6 16.1.0
16.0.1.2
15.1.3.1
14.1.4.2
13.1.4
CVE-2021-23029 High 7.5 BIG-IP (Advanced WAF, ASM) 16.0.0 - 16.0.1 16.1.0
16.0.1.2
CVE-2021-23030 High 7.5 BIG-IP (Advanced WAF, ASM) 16.0.0 - 16.0.1
15.1.0 - 15.1.3
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6 16.1.0
16.0.1.2
15.1.3.1
14.1.4.3
13.1.4.1
CVE-2021-23031

High

--

Critical - Appliance mode only2

|

8.8

--

9.92

| BIG-IP (Advanced WAF, ASM)| 16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.4
13.1.0 - 13.1.3
12.1.0 - 12.1.5
11.6.1 - 11.6.5| 16.1.0
16.0.1.2
15.1.3
14.1.4.1
13.1.4
12.1.6
11.6.5.3
CVE-2021-23032| High| 7.5| BIG-IP (DNS)| 16.0.0 - 16.0.1
15.1.0 - 15.1.3
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6| 16.1.0
15.1.3.1
14.1.4.4
13.1.5
CVE-2021-23033| High| 7.5| BIG-IP (Advanced WAF, ASM)| 16.0.0 - 16.0.1
15.1.0 - 15.1.3
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6| 16.1.0
15.1.3.1
14.1.4.3
13.1.4.1
CVE-2021-230343| High| 7.5| BIG-IP (all modules)| 16.0.0 - 16.0.1
15.1.0 - 15.1.3| 16.1.0
15.1.3.1
CVE-2021-23035| High| 7.5| BIG-IP (all modules)| 14.1.0 - 14.1.4| 14.1.4.4
CVE-2021-23036| High| 7.5| BIG-IP (Advanced WAF, ASM, DataSafe)| 16.0.0 - 16.0.1| 16.1.0
16.0.1.2
CVE-2021-23037| High| 7.5| BIG-IP (all modules)| 16.0.0 - 16.1.1
15.1.0 - 15.1.4
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 16.1.2
15.1.4.1
14.1.4.5
13.1.5
CVE-2021-23038| Medium| 6.8| BIG-IP (all modules)| 16.0.0 - 16.0.1
15.0.0 - 15.1.3
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6| 16.1.0
16.0.1.2
15.1.3.1
14.1.4.2
13.1.4.1
CVE-2021-23039| Medium| 6.5| BIG-IP (all modules)| 16.0.0 - 16.0.1
15.0.0 - 15.1.2
14.1.0 - 14.1.2
13.1.0 - 13.1.4
12.1.0 - 12.1.6| 16.1.0
16.0.1.2
15.1.3
14.1.2.8
13.1.5
CVE-2021-23040| Medium| 5.4| BIG-IP AFM| 16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.4
13.1.0 - 13.1.3
12.1.0 - 12.1.6| 16.1.0
16.0.1.2
15.1.3
14.1.4.2
13.1.4.1
CVE-2021-23041| Medium| 4.7| BIG-IP (all modules)| 16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6| 16.1.0
16.0.1.2
15.1.3
14.1.4.2
13.1.4.1
CVE-2021-23042| Medium| 5.3| BIG-IP (all modules)| 16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.3
13.1.0 - 13.1.3
12.1.0 - 12.1.5| 16.1.0
16.0.1.2
15.1.3
14.1.4
13.1.4
12.1.6
CVE-2021-23043| Medium| 4.3| BIG-IP (all modules)| 16.0.0 - 16.1.1
15.1.0 - 15.1.4
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 16.1.2
15.1.4.1
14.1.4.5
13.1.5
CVE-2021-23044| Medium| 5.9| BIG-IP (all modules)| 16.0.0 - 16.0.1
15.1.0 - 15.1.3
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 16.1.0
15.1.3.1
14.1.4.2
13.1.4.1
CVE-2021-23045| Medium| 5.3| BIG-IP (all modules)| 16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.3
13.1.0 - 13.1.3
12.1.0 - 12.1.5| 16.1.0
16.0.1.2
15.1.3.1
14.1.4.3
13.1.4.1
CVE-2021-23046| Medium| 4.9| BIG-IP (Guided Configuration)| 7.0
6.0
5.0
4.1
3.0| 8.0
BIG-IP APM5| 16.0.0 - 16.0.1
15.1.0 - 15.1.3
14.1.0 - 14.1.4
13.1.0 - 13.1.4| 16.1.0
15.1.8
14.1.5.3
CVE-2021-23047| Medium| 5.3| BIG-IP APM| 16.0.0 - 16.0.1
15.1.0 - 15.1.3
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 16.1.0
15.1.3.1
14.1.4.3
13.1.5
CVE-2021-23048| Medium| 5.9| BIG-IP (all modules)| 16.0.0 - 16.0.1
15.1.0 - 15.1.3
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.5
11.6.1 - 11.6.5| 16.1.0
16.0.1.2
15.1.3.1
14.1.4.3
13.1.4.1
CVE-2021-23049| Medium| 5.3| BIG-IP (all modules)| 16.0.0 - 16.0.1
15.1.0 - 15.1.2| 16.1.0
16.0.1.2
15.1.3
CVE-2021-23050| Medium| 5.9| BIG-IP (Advanced WAF, ASM)| 16.0.0 - 16.0.1
15.1.0 - 15.1.3| 16.1.0
16.0.1.2
15.1.3.1
NGINX App Protect| 3.0.0 - 3.4.0
2.0.0 - 2.3.0
1.0.0 - 1.3.0| 3.5.0
CVE-2021-23051| Medium| 5.9| BIG-IP (all modules)| 15.1.0.4 - 15.1.3| 16.0.0
15.1.3.1
CVE-2021-23052| Medium| 6.1| BIG-IP APM| 14.1.0 - 14.1.4
13.1.0 - 13.1.4| 14.1.4.4
13.1.5
CVE-2021-23053| Low| 3.7| BIG-IP (Advanced WAF, ASM)| 15.1.0 - 15.1.2
14.1.0 - 14.1.3
13.1.0 - 13.1.3| 16.0.0
15.1.3
14.1.3.1
13.1.3.6
ID 889601| Not applicable| Not applicable| BIG-IP (all modules)| 16.0.0 - 16.0.1
15.0.0 - 15.1.2
14.1.0 - 14.1.4
13.1.0 - 13.1.3| 16.1.0
16.0.1.2
15.1.3
14.1.4
13.1.4
ID 928685| Not applicable| Not applicable| BIG-IP (Advanced WAF, ASM)| 16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.4
13.1.0 - 13.1.3
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 16.1.0
16.0.1.2
15.1.3
14.1.4.2
13.1.4.1
ID 929001| Not applicable| Not applicable| BIG-IP (Advanced WAF, ASM)| 16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.4
13.1.0 - 13.1.3
12.1.0 - 12.1.5
11.6.1 - 11.6.5| 16.1.0
16.0.1.2
15.1.3
14.1.4.1
13.1.4
12.1.6
11.6.5.3
ID 943913
WAFMC-4566| Not applicable| Not applicable| BIG-IP (Advanced WAF, ASM)| 16.0.0 - 16.0.1
15.1.0 - 15.1.3
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 16.1.0
16.0.1.2
15.1.3.1
14.1.4.2
13.1.4.1
NGINX App Protect| 3.0.0 - 3.4.0
2.0.0 - 2.3.0
1.0.0 - 1.3.0| 3.5.0
ID 968421| Not applicable| Not applicable| BIG-IP (Advanced WAF, ASM)| 16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.5
11.6.1 - 11.6.5| 16.1.0
16.0.1.2
15.1.2.1
14.1.4.2
13.1.4.1
12.1.6
11.6.5.3
NGINX App Protect| 2.0.0 - 2.1.0
1.0.0 - 1.3.0| 2.2.0
ID 987157| Not applicable| Not applicable| BIG-IP (Advanced WAF, ASM)| 13.1.0 -13.1.4| 13.1.5

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

2The limited number of customers using Appliance Mode will have Scope: Changed, which raises the CVSSv3 score to 9.9. For information on Appliance mode, refer to K12815: Overview of Appliance mode.

3The fix for this issue may cause a loss of functionality when the iRule command RESOLV::lookup is used. The iRule command RESOLV::lookup is deprecated as of BIG-IP 15.1.0; F5 recommends that customers update their iRules in favor of the RESOLVER and DNSMSG namespaces.

For more information on the specific conditions that result in a loss of behavior, refer to the following Bug Tracker items:

4This issue has been fixed in an engineering hotfix available for supported versions of the BIG-IP system. Customers affected by this issue can request a hotfix from F5 Support on the latest supported versions of the BIG-IP system.

5You can independently upgrade F5 Guided Configuration without upgrading the entire BIG-IP system. To address this vulnerability, you can download and install an F5 Guided Configuration version listed in the Fixed introduced in column. For more information on how to upgrade F5 Guided Configuration and its supported upgrade path, refer to K85454683: Upgrading F5 Guided Configuration on BIG-IP****and K06258575: Supported upgrade path for Guided Configuration.

EPSS

0.002

Percentile

61.1%