logo
DATABASE RESOURCES PRICING ABOUT US

Overview of F5 vulnerabilities (August 2021)

Description

On August 24, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory. High CVEs * [K55543151: BIG-IP TMUI vulnerability CVE-2021-23025](<https://support.f5.com/csp/article/K55543151>) CVSS score: 7.2 (High) An authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility. * [K53854428: iControl SOAP vulnerability CVE-2021-23026](<https://support.f5.com/csp/article/K53854428>) CVSS score: 7.5 (High) BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. * [K24301698: TMUI XSS vulnerability CVE-2021-23027](<https://support.f5.com/csp/article/K24301698>) CVSS score: 7.5 (High) A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. * [K00602225: BIG-IP Advanced WAF and ASM vulnerability CVE-2021-23028](<https://support.f5.com/csp/article/K00602225>) CVSS score: 7.5 (High) When JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate. * [K52420610: BIG-IP Advanced WAF and ASM TMUI vulnerability CVE-2021-23029](<https://support.f5.com/csp/article/K52420610>) CVSS score: 7.5 (High) Insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility. * [K42051445: BIG-IP Advanced WAF and ASM Websocket vulnerability CVE-2021-23030](<https://support.f5.com/csp/article/K42051445>) CVSS score: 7.5 (High) When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. * [K41351250: BIG-IP Advanced WAF and ASM TMUI vulnerability CVE-2021-23031](<https://support.f5.com/csp/article/K41351250>) CVSS score: 8.8 (High) / 9.9 (Appliance Mode Only) **Note**: The limited number of customers using Appliance Mode will have Scope: Changed, which raises the CVSSv3 score to 9.9. For information on Appliance mode, refer to [K12815: Overview of Appliance mode](<https://support.f5.com/csp/article/K12815>). An authenticated user may perform a privilege escalation on BIG-IP Advanced WAF and ASM TMUI. * [K45407662: BIG-IP DNS vulnerability CVE-2021-23032](<https://support.f5.com/csp/article/K45407662>) CVSS score: 7.5 (High) When a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the Traffic Management Microkernel (TMM) to terminate. * [K05314769: BIG-IP Advanced WAF and ASM Websocket vulnerability CVE-2021-23033](<https://support.f5.com/csp/article/K05314769>) CVSS score: 7.5 (High) When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. * [K30523121: BIG-IP TMM vulnerability CVE-2021-23034](<https://support.f5.com/csp/article/K30523121>) CVSS score: 7.5 (High) When a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. * [K70415522: TMM vulnerability CVE-2021-23035](<https://support.f5.com/csp/article/K70415522>) CVSS score: 7.5 (High) When an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate. * [K05043394: TMM vulnerability CVE-2021-23036](<https://support.f5.com/csp/article/K05043394>) CVSS score: 7.5 (High) When a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. * [K21435974: TMUI XSS vulnerability CVE-2021-23037](<https://support.f5.com/csp/article/K21435974>) CVSS score: 7.5 (High) A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Medium CVEs * [K61643620: BIG-IP TMUI XSS vulnerability CVE-2021-23038](<https://support.f5.com/csp/article/K61643620>) CVSS score: 6.8 (Medium) A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. * [K66782293: TMM vulnerability CVE-2021-23039](<https://support.f5.com/csp/article/K66782293>) CVSS score: 6.5 (Medium) When IPSec is configured on a BIG-IP system, undisclosed requests from an authorized remote (IPSec) peer, which already has a negotiated Security Association, can cause the Traffic Management Microkernel (TMM) to terminate. * [K94255403: BIG-IP AFM vulnerability CVE-2021-23040](<https://support.f5.com/csp/article/K94255403>) CVSS score: 5.4 (Medium) A SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This issue is exposed only when BIG-IP AFM is provisioned. * [K42526507: BIG-IP TMUI vulnerability CVE-2021-23041](<https://support.f5.com/csp/article/K42526507>) CVSS score: 4.7 (Medium) A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user. * [K93231374: BIG-IP HTTP vulnerability CVE-2021-23042](<https://support.f5.com/csp/article/K93231374>) CVSS score: 5.3 (Medium) When an HTTP profile is configured on a virtual server, undisclosed requests can cause a significant increase in system resource utilization. * [K63163637: BIG-IP TMUI vulnerability CVE-2021-23043](<https://support.f5.com/csp/article/K63163637>) CVSS score: 4.3 (Medium) A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to access arbitrary files. * [K35408374: BIG-IP compression driver vulnerability CVE-2021-23044](<https://support.f5.com/csp/article/K35408374>) CVSS score: 5.9 (Medium) When the Intel QuickAssist Technology (QAT) compression driver is used on affected BIG-IP hardware and BIG-IP Virtual Edition (VE) platforms, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. * [K94941221: TMM SCTP vulnerability CVE-2021-23045](<https://support.f5.com/csp/article/K94941221>) CVSS score: 5.3 (Medium) When an SCTP profile with multiple paths is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. * [K70652532: F5 BIG-IP Guided Configuration logging vulnerability CVE-2021-23046](<https://support.f5.com/csp/article/K70652532>) CVSS score: 4.9 (Medium) When a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs. * [K79428827: BIG-IP APM OCSP vulnerability CVE-2021-23047](<https://support.f5.com/csp/article/K79428827>) CVSS score: 5.3 (Medium) When BIG-IP APM performs Online Certificate Status Protocol (OCSP) verification of a certificate that contains Authority Information Access (AIA), undisclosed requests may cause an increase in memory use. * [K19012930: TMM GTP vulnerability CVE-2021-23048](<https://support.f5.com/csp/article/K19012930>) CVSS score: 5.9 (Medium) When GPRS Tunneling Protocol (GTP) iRules commands or a GTP profile is configured on a virtual server, undisclosed GTP messages can cause the Traffic Management Microkernel (TMM) to terminate. * [K65397301: iRule RESOLVER::summarize memory leak vulnerability CVE-2021-23049](<https://support.f5.com/csp/article/K65397301>) CVSS score: 5.3 (Medium) When the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS). * [K44553214: Web application firewall vulnerability CVE-2021-23050](<https://support.f5.com/csp/article/K44553214>) CVSS score: 5.9 (Medium) When a cross-site request forgery (CSRF)-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the BIG-IP ASM bd process to terminate. * [K01153535: BIG-IP AWS vulnerability CVE-2021-23051](<https://support.f5.com/csp/article/K01153535>) CVSS score: 5.9 (Medium) When the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP on Amazon Web Services (AWS) systems, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This is due to an incomplete fix for CVE-2020-5862. * [K32734107: BIG-IP APM vulnerability CVE-2021-23052](<https://support.f5.com/csp/article/K32734107>) CVSS score: 6.1 (Medium) An open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious user to build an open redirect URI. Low CVEs * [K36942191: BIG-IP Advanced WAF and ASM MySQL database vulnerability CVE-2021-23053](<https://support.f5.com/csp/article/K36942191>) CVSS score: 3.7 (Low) When the brute force protection feature of ASM/Adv WAF is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. Security Exposures * [K14903688: BIG-IP SSL Profile OCSP Authentication security exposure](<https://support.f5.com/csp/article/K14903688>) The BIG-IP system does not properly verify the revocation of intermediate CA certificates when querying Online Certificate Status Protocol (OCSP) servers and may allow unauthorized connections. * [K49549213: The BIG-IP Advanced WAF and ASM brute force mitigation may fail when receiving a specially crafted request](<https://support.f5.com/csp/article/K49549213>) F5 Advanced Web Application Firewall (WAF) and BIG-IP ASM brute force mitigation may fail. * [K48321015: The BIG-IP Advanced WAF and ASM systems may fail to correctly enforce HTML form login pages](<https://support.f5.com/csp/article/K48321015>) The BIG-IP Advanced WAF and ASM systems may fail to correctly enforce HTML form login pages when the request contains an incorrectly formatted parameter. This issue occurs when the security policy includes a configuration that enables brute force protection for the HTML form login page. * [K30150004: The attack signature check may fail to detect and block malicious requests](<https://support.f5.com/csp/article/K30150004>) The attack signature check may fail to detect and block malicious request containing certain decimal-coded characters. * [K30291321: The attack signature check may fail to detect and block illegal requests.](<https://support.f5.com/csp/article/K30291321>) The attack signature check may fail to detect and block illegal requests. * [K05391775: The BIG-IP ASM system may not properly perform attack signature checks](<https://support.f5.com/csp/article/K05391775>) The BIG-IP ASM system may not properly perform attack signature checks on request and response content. The following table provides key information for each vulnerability to assist in determining which are pertinent to your network. **Note**: For security and sustainability, your best update choice is the latest maintenance release of a Long-Term Stability Release version. * Long-Term Stability Release versions have 1 for their minor release number (x.1.x), and they are not available for a period of time after a major release (x.0.x). * The latest maintenance release of a Long-Term Stability Release version (x.1.latest) can be between x.1.0 and x.1.n. Updating to maintenance or point releases (x.1.x.x) for a Long-Term Stability Release version does not introduce changes in existing default behavior. F5 recommends that you update or upgrade your BIG-IP appliances to at least BIG-IP 14.1.0 and your BIG-IP VEs to at least BIG-IP 15.1.0. For more information, see the release notes for [BIG-IP 14.1.0](<https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-14-1-0.html>) and [BIG-IP 15.1.0](<https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-15-1-0.html>). High CVEs CVE / Bug ID | Severity | CVSS score | Affected products | Affected versions1 | Fixes introduced in ---|---|---|---|---|--- [CVE-2021-23025](<https://support.f5.com/csp/article/K55543151>) | High | 7.2 | BIG-IP (all modules) | 15.0.0 - 15.1.0 14.1.0 - 14.1.3 13.1.0 - 13.1.3 12.1.0 - 12.1.6 11.6.1 - 11.6.5 | 16.0.0 15.1.0.5 14.1.3.1 13.1.3.5 [CVE-2021-23026](<https://support.f5.com/csp/article/K53854428>) | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 11.6.1 - 11.6.5 | 16.1.0 16.0.1.2 15.1.3 14.1.4.2 13.1.4.1 BIG-IQ | 8.0.0 - 8.1.0 7.0.0 - 7.1.0 6.0.0 - 6.1.0 | None [CVE-2021-23027](<https://support.f5.com/csp/article/K24301698>) | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 | 16.1.0 16.0.1.2 15.1.3.1 14.1.4.3 [CVE-2021-23028](<https://support.f5.com/csp/article/K00602225>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.1 15.1.1 - 15.1.3 14.1.3.1 - 14.1.4.1 13.1.3.5 - 13.1.3.6 | 16.1.0 16.0.1.2 15.1.3.1 14.1.4.2 13.1.4 [CVE-2021-23029](<https://support.f5.com/csp/article/K52420610>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 | 16.1.0 16.0.1.2 [CVE-2021-23030](<https://support.f5.com/csp/article/K42051445>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 | 16.1.0 16.0.1.2 15.1.3.1 14.1.4.3 13.1.4.1 [CVE-2021-23031](<https://support.f5.com/csp/article/K41351250>) | High \-- Critical - Appliance mode only2 | 8.8 \-- 9.92 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 13.1.0 - 13.1.3 12.1.0 - 12.1.5 11.6.1 - 11.6.5 | 16.1.0 16.0.1.2 15.1.3 14.1.4.1 13.1.4 12.1.6 11.6.5.3 [CVE-2021-23032](<https://support.f5.com/csp/article/K45407662>) | High | 7.5 | BIG-IP (DNS) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 | 16.1.0 15.1.3.1 14.1.4.4 13.1.5 [CVE-2021-23033](<https://support.f5.com/csp/article/K05314769>) | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 | 16.1.0 15.1.3.1 14.1.4.3 13.1.4.1 [CVE-2021-23034](<https://support.f5.com/csp/article/K30523121>)3 | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 | 16.1.0 15.1.3.1 [CVE-2021-23035](<https://support.f5.com/csp/article/K70415522>) | High | 7.5 | BIG-IP (all modules) | 14.1.0 - 14.1.4 | 14.1.4.4 [CVE-2021-23036](<https://support.f5.com/csp/article/K05043394>) | High | 7.5 | BIG-IP (Advanced WAF, ASM, DataSafe) | 16.0.0 - 16.0.1 | 16.1.0 16.0.1.2 [CVE-2021-23037](<https://support.f5.com/csp/article/K21435974>) | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.1.1 15.1.0 - 15.1.4 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 11.6.1 - 11.6.5 | 16.1.2 15.1.4.1 14.1.4.5 13.1.5 [CVE-2021-23038](<https://support.f5.com/csp/article/K61643620>) | Medium | 6.8 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.0.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 | 16.1.0 16.0.1.2 15.1.3.1 14.1.4.2 13.1.4.1 [CVE-2021-23039](<https://support.f5.com/csp/article/K66782293>) | Medium | 6.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.0.0 - 15.1.2 14.1.0 - 14.1.2 13.1.0 - 13.1.4 12.1.0 - 12.1.6 | 16.1.0 16.0.1.2 15.1.3 14.1.2.8 13.1.5 [CVE-2021-23040](<https://support.f5.com/csp/article/K94255403>) | Medium | 5.4 | BIG-IP AFM | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 13.1.0 - 13.1.3 12.1.0 - 12.1.6 | 16.1.0 16.0.1.2 15.1.3 14.1.4.2 13.1.4.1 [CVE-2021-23041](<https://support.f5.com/csp/article/K42526507>) | Medium | 4.7 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 | 16.1.0 16.0.1.2 15.1.3 14.1.4.2 13.1.4.1 [CVE-2021-23042](<https://support.f5.com/csp/article/K93231374>) | Medium | 5.3 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.3 13.1.0 - 13.1.3 12.1.0 - 12.1.5 | 16.1.0 16.0.1.2 15.1.3 14.1.4 13.1.4 12.1.6 [CVE-2021-23043](<https://support.f5.com/csp/article/K63163637>) | Medium | 4.3 | BIG-IP (all modules) | 16.0.0 - 16.1.1 15.1.0 - 15.1.4 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 11.6.1 - 11.6.5 | 16.1.2 15.1.4.1 14.1.4.5 13.1.5 [CVE-2021-23044](<https://support.f5.com/csp/article/K35408374>) | Medium | 5.9 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 11.6.1 - 11.6.5 | 16.1.0 15.1.3.1 14.1.4.2 13.1.4.1 [CVE-2021-23045](<https://support.f5.com/csp/article/K94941221>) | Medium | 5.3 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.3 13.1.0 - 13.1.3 12.1.0 - 12.1.5 | 16.1.0 16.0.1.2 15.1.3.1 14.1.4.3 13.1.4.1 [CVE-2021-23046](<https://support.f5.com/csp/article/K70652532>) | Medium | 4.9 | BIG-IP (Guided Configuration) | 7.0 6.0 5.0 4.1 3.0 | 8.0 BIG-IP APM5 | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 | 16.1.0 [CVE-2021-23047](<https://support.f5.com/csp/article/K79428827>) | Medium | 5.3 | BIG-IP APM | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 11.6.1 - 11.6.5 | 16.1.0 15.1.3.1 14.1.4.3 13.1.5 [CVE-2021-23048](<https://support.f5.com/csp/article/K19012930>) | Medium | 5.9 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.5 11.6.1 - 11.6.5 | 16.1.0 16.0.1.2 15.1.3.1 14.1.4.3 13.1.4.1 [CVE-2021-23049](<https://support.f5.com/csp/article/K65397301>) | Medium | 5.3 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 | 16.1.0 16.0.1.2 15.1.3 [CVE-2021-23050](<https://support.f5.com/csp/article/K44553214>) | Medium | 5.9 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 | 16.1.0 16.0.1.2 15.1.3.1 NGINX App Protect | 3.0.0 - 3.4.0 2.0.0 - 2.3.0 1.0.0 - 1.3.0 | 3.5.0 [CVE-2021-23051](<https://support.f5.com/csp/article/K01153535>) | Medium | 5.9 | BIG-IP (all modules) | 15.1.0.4 - 15.1.3 | 16.0.0 15.1.3.1 [CVE-2021-23052](<https://support.f5.com/csp/article/K32734107>) | Medium | 6.1 | BIG-IP APM | 14.1.0 - 14.1.4 13.1.0 - 13.1.4 | 14.1.4.4 13.1.5 [CVE-2021-23053](<https://support.f5.com/csp/article/K36942191>) | Low | 3.7 | BIG-IP (Advanced WAF, ASM) | 15.1.0 - 15.1.2 14.1.0 - 14.1.3 13.1.0 - 13.1.3 | 16.0.0 15.1.3 14.1.3.1 13.1.3.6 [ID 889601](<https://support.f5.com/csp/article/K14903688>) | Not applicable | Not applicable | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.0.0 - 15.1.2 14.1.0 - 14.1.4 13.1.0 - 13.1.3 | 16.1.0 16.0.1.2 15.1.3 14.1.4 13.1.4 [ID 928685](<https://support.f5.com/csp/article/K49549213>) | Not applicable | Not applicable | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 13.1.0 - 13.1.3 12.1.0 - 12.1.6 11.6.1 - 11.6.5 | 16.1.0 16.0.1.2 15.1.3 14.1.4.2 13.1.4.1 [ID 929001](<https://support.f5.com/csp/article/K48321015>) | Not applicable | Not applicable | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 13.1.0 - 13.1.3 12.1.0 - 12.1.5 11.6.1 - 11.6.5 | 16.1.0 16.0.1.2 15.1.3 14.1.4.1 13.1.4 12.1.6 11.6.5.3 [ID 943913](<https://support.f5.com/csp/article/K30150004>) [WAFMC-4566](<https://support.f5.com/csp/article/K30150004>) | Not applicable | Not applicable | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 11.6.1 - 11.6.5 | 16.1.0 16.0.1.2 15.1.3.1 14.1.4.2 13.1.4.1 NGINX App Protect | 3.0.0 - 3.4.0 2.0.0 - 2.3.0 1.0.0 - 1.3.0 | 3.5.0 [ID 968421](<https://support.f5.com/csp/article/K30291321>) | Not applicable | Not applicable | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.5 11.6.1 - 11.6.5 | 16.1.0 16.0.1.2 15.1.2.1 14.1.4.2 13.1.4.1 12.1.6 11.6.5.3 NGINX App Protect | 2.0.0 - 2.1.0 1.0.0 - 1.3.0 | 2.2.0 [ID 987157](<https://support.f5.com/csp/article/K05391775>) | Not applicable | Not applicable | BIG-IP (Advanced WAF, ASM) | 13.1.0 -13.1.4 | 13.1.5 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. 2The limited number of customers using Appliance Mode will have Scope: Changed, which raises the CVSSv3 score to 9.9. For information on Appliance mode, refer to [K12815: Overview of Appliance mode](<https://support.f5.com/csp/article/K12815>). 3The fix for this issue may cause a loss of functionality when the iRule command [RESOLV::lookup](<https://clouddocs.f5.com/api/irules/RESOLV__lookup.html>) is used. The iRule command **RESOLV::lookup** is deprecated as of BIG-IP 15.1.0; F5 recommends that customers update their iRules in favor of the [RESOLVER](<https://clouddocs.f5.com/api/irules/RESOLVER.html>) and [DNSMSG](<https://clouddocs.f5.com/api/irules/DNSMSG.html>) namespaces. For more information on the specific conditions that result in a loss of behavior, refer to the following Bug Tracker items: * [Bug ID 1010697](<https://cdn.f5.com/product/bugtracker/ID1010697.html>) * [Bug ID 1037005](<https://cdn.f5.com/product/bugtracker/ID1037005.html>) * [Bug ID 1038921](<https://cdn.f5.com/product/bugtracker/ID1038921.html>) 4This issue has been fixed in an engineering hotfix available for supported versions of the BIG-IP system. Customers affected by this issue can request a hotfix from F5 Support on the latest supported versions of the BIG-IP system. 5You can independently upgrade F5 Guided Configuration without upgrading the entire BIG-IP system. To address this vulnerability, you can download and install an F5 Guided Configuration version listed in the **Fixed introduced in** column. For more information on how to upgrade F5 Guided Configuration and its supported upgrade path, refer to [K85454683: Upgrading F5 Guided Configuration on BIG-IP** **](<https://support.f5.com/csp/article/K85454683>)and [K06258575: Supported upgrade path for Guided Configuration](<https://support.f5.com/csp/article/K06258575>).


Related