Lucene search

K
f5F5F5:K55879220
HistoryMay 04, 2022 - 12:00 a.m.

K55879220 : Overview of F5 vulnerabilities (May 2022)

2022-05-0400:00:00
my.f5.com
359

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.973 High

EPSS

Percentile

99.9%

Security Advisory Description

On May 4, 2022, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory.

Distributed Cloud and Managed Services

Service Status
F5 Distributed Cloud Services Does not affect or has been resolved
Silverline Does not affect or has been resolved
Threat Stack Does not affect or has been resolved
  • Critical CVEs
  • High CVEs
  • Medium CVEs
  • Low CVEs
  • Security Exposures

Critical CVEs

Security Advisory (CVE) CVSS score Affected products Affected versions1 Fixes introduced in
K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388 9.8 BIG-IP (all modules) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

High CVEs

Security Advisory (CVE) CVSS score Affected products Affected versions1 Fixes introduced in
K52322100: Authenticated F5 BIG-IP Guided Configuration integrity check in Appliance mode vulnerability CVE-2022-25946 8.7 - Appliance mode only BIG-IP Guided Configuration 3.0 - 8.0 9.0
BIG-IP (ASM, Advanced WAF, APM) 16.1.0 - 16.1.3
15.1.0 - 15.1.7
14.1.0 - 14.1.5
13.1.0.8 - 13.1.5

17.0.0
16.1.3.3
15.1.8
14.1.5.3

K68647001: Authenticated F5 BIG-IP Guided Configuration in Appliance mode vulnerability CVE-2022-27806| 8.7 - Appliance mode only| BIG-IP Guided Configuration| 3.0 - 8.0| 9.0
BIG-IP (Advanced WAF, APM, ASM)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0.8 - 13.1.5| 17.0.0
16.1.3.2
15.1.8
14.1.5.3
K70300233: BIG-IP TMUI XSS vulnerability CVE-2022-28707| 8.0| BIG-IP (all modules)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4| 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
K33552735: BIG-IP Edge Client for Windows vulnerability CVE-2022-29263| 7.8| BIG-IP (APM)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
BIG-IP APM Clients| 7.1.8 - 7.2.1| 7.2.2
7.2.1.5
K81952114: Authenticated iControl REST in Appliance mode vulnerability CVE-2022-26415| 7.7 - Appliance mode only| BIG-IP (all modules)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6| 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K23454411: DNS profile vulnerability CVE-2022-26372| 7.5| BIG-IP (all modules)| 15.1.0
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 16.0.0
15.1.0.2
14.1.4.6
13.1.5
K25451853: TMUI XSS vulnerability CVE-2022-28716| 7.5| BIG-IP (AFM, CGNAT, PEM)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K16187341: BIG-IP ICAP profile vulnerability CVE-2022-27189| 7.5| BIG-IP (all modules)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K21317311: F5 BIG-IP Guided Configuration XSS vulnerability CVE-2022-27230| 7.5| BIG-IP Guided Configuration| 3.0 - 8.0| 9.0
BIG-IP (APM)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0.8 - 13.1.5| 17.0.0
K37155600: BIG-IP RTSP profile vulnerability CVE-2022-28691| 7.5| BIG-IP (all modules)| 16.1.0 - 16.1.2
15.1.0 - 15.1.4
14.1.0 - 14.1.4
13.1.0 - 13.1.4| 17.0.0
16.1.2.2
15.1.5
14.1.4.6
13.1.5
K14229426: BIG-IP SSL vulnerability CVE-2022-29491| 7.5| BIG-IP (LTM, Advanced WAF, ASM, APM)| 16.1.0 - 16.1.2
15.1.0 - 15.1.4
14.1.0 - 14.1.4
13.1.0 - 13.1.5
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 17.0.0
16.1.2.2
15.1.5
14.1.4.6
K52340447: F5 ePVA vulnerability CVE-2022-28705| 7.5| BIG-IP (all modules)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4| 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K03442392: BIG-IP ASM and F5 Advanced WAF vulnerability CVE-2022-26890| 7.5| BIG-IP (ASM, Advanced WAF, APM)| 16.1.0 - 16.1.2
15.1.0 - 15.1.4
14.1.0 - 14.1.4
13.1.0 - 13.1.4| 17.0.0
16.1.2.1
15.1.5
14.1.4.6
13.1.5
K99123750: BIG-IP Stream profile vulnerability CVE-2022-28701| 7.5| BIG-IP (all modules)| 16.1.0 - 16.1.2| 17.0.0
16.1.2.2
K41440465: BIG-IP TMM vulnerability CVE-2022-26071| 7.4| BIG-IP (all modules)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K54460845: BIG-IP Edge Client for Windows vulnerability CVE-2022-28714| 7.3| BIG-IP (APM)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5| 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
BIG-IP APM Clients| 7.2.1 - 7.2.1
7.1.6 - 7.1.9| 7.2.2
7.2.1.5
K08510472: BIG-IP TMUI vulnerability CVE-2022-28695| 7.2 - Standard deployment mode| BIG-IP (AFM)| 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4| 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
9.1 - Appliance mode

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

Medium CVEs

Security Advisory (CVE) CVSS score Affected products Affected versions1 Fixes introduced in
K92807525: TMUI XSS vulnerability CVE-2022-27878 6.8 BIG-IP Guided Configuration 6.0 - 8.0 9.0
BIG-IP (all modules) 16.0.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0.4 - 13.1.5 17.0.0
K94093538: NGINX Service Mesh control plane vulnerability CVE-2022-27495 6.5 NGINX Service Mesh 1.3.0 - 1.3.1 1.4.0
K57555833: BIG-IP APM vulnerability CVE-2022-27634 6.5 BIG-IP (APM) 16.1.0 - 16.1.2
15.1.0 - 15.1.5 17.0.0
16.1.2.2
15.1.5.1
K47662005: BIG-IP Net HSM script vulnerability CVE-2022-28859 6.5 BIG-IP (all modules) 16.0.0 - 16.0.1
15.1.0 - 15.1.5
14.1.0 - 14.1.4 17.0.0
16.1.0
15.1.5.1
14.1.4.6
K06323049: BIG-IP IPsec ALG vulnerability CVE-2022-29473 5.9 BIG-IP (all modules) 15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4 16.1.0
15.1.5.1
14.1.4.5
13.1.5
K51539421: BIG-IP SIP ALG profile vulnerability CVE-2022-26370 5.9 BIG-IP (all modules) 16.1.0 - 16.1.2
15.1.0 - 15.1.4
14.1.0 - 14.1.4 17.0.0
16.1.2.2
15.1.5
14.1.4.6
K54082580: BIG-IP CGNAT LSN vulnerability CVE-2022-26517 5.9 BIG-IP (all modules) 16.0.0 - 16.0.1
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4 17.0.0
16.1.0
15.1.5.1
14.1.4.6
13.1.5
K03755971: BIG-IP DNS resolver vulnerability CVE-2022-28706 5.9 BIG-IP (all modules) 16.0.0 - 16.1.1
15.1.0 - 15.1.5 17.0.0
16.1.2
15.1.5.1
K85054496: BIG-IP DNS resolver vulnerability CVE-2022-28708 5.9 BIG-IP (all modules) 16.1.0 - 16.1.2
15.1.0 - 15.1.5 17.0.0
16.1.2.2
15.1.5.1
K40019131: F5 Access for Android vulnerability CVE-2022-27875 5.5 F5 Access for Android 3.0.6 - 3.0.7 3.0.8
K57110035: BIG-IP APM Edge client for Windows logging vulnerability CVE-2022-27636 5.5 BIG-IP (APM) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
BIG-IP APM Clients 7.1.6 - 7.2.1 7.2.1.5
K44233515: F5OS-A vulnerability CVE-2022-25990 5.3 F5OS-A 1.0.0 1.0.1
K82034427: BIG-IP FTP profile vulnerability CVE-2022-26130 5.3 BIG-IP (all modules) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K71103363: BIG-IP big3d vulnerability CVE-2022-29480 5.3 BIG-IP (all modules) 13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 14.0.0
13.1.5
K64124988: TMM IPv6 stack vulnerability CVE-2022-29479 5.3 BIG-IP (all modules) 16.0.0 - 16.0.1
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.0
15.1.5.1
14.1.4.6
13.1.5
BIG-IQ Centralized Management 8.0.0 - 8.2.0
7.0.0 - 7.1.0 None
K31856317: BIG-IP Packet Filters vulnerability CVE-2022-27182 5.3 BIG-IP (all modules) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
K93543114: BIG-IP APM vulnerability CVE-2022-27181 5.3 BIG-IP (APM) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K53197140: BIG-IP iControl REST and tmsh vulnerabilities CVE-2022-26835 4.9 - Standard deployment mode BIG-IP (all modules) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
6.8 - Appliance mode
K38271531: BIG-IP and BIG-IQ SCP vulnerability CVE-2022-26340 4.9 BIG-IP (all modules) 16.0.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
BIG-IQ Centralized Management 8.0.0 - 8.2.0
7.0.0 - 7.1.0 None
K24248011: Traffix SDC Configuration utility vulnerability CVE-2022-27662 4.8 Traffix SDC 5.2.0
5.1.0 5.2.2
5.1.35
K17341495: Traffix SDC Configuration utility vulnerability CVE-2022-27880 4.8 Traffix SDC 5.2.0
5.1.0 5.2.2
5.1.35
K15101402: iControl REST vulnerability CVE-2022-1468 4.3 BIG-IP (all modules) 17.0.0
16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.5
12.1.0 - 12.1.6
11.6.1 - 11.6.5 None
K41877405: BIG-IP TMUI vulnerability CVE-2022-27659 4.3 BIG-IP (all modules) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
K59904248: iControl SOAP vulnerability CVE-2022-29474 4.3 BIG-IP (all modules) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

Low CVEs

Security Advisory (CVE) CVSS score Affected products Affected versions1 Fixes introduced in
K49905324: BIG-IP TMUI CSRF vulnerability CVE-2022-1389 3.1 BIG-IP (all modules) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.5
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

Security Exposures

Security Advisory (Exposure) Affected products Affected versions1 Fixes introduced in
K68816502: A BIG-IP LTM policy referencing an external data group may not match traffic BIG-IP (all modules) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.5
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
K74302282: BIG-IP APM RDP resource security exposure BIG-IP (APM) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K70134152: BIG-IP ASM, F5 Advanced WAF, and NGINX App Protect encoded directory traversal security exposure BIG-IP (Advanced WAF, ASM) 16.1.0
15.1.0 - 15.1.3
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.1
15.1.4
14.1.4.4
13.1.5
NGINX App Protect 3.0.0 - 3.6.0
2.0.0 - 2.3.0
1.0.0 - 1.3.0 3.7.0
K80945213: BIG-IP ASM and F5 Advanced WAF attack signature check failure security exposure BIG-IP (Advanced WAF, ASM) 15.1.0 - 15.1.4
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 16.1.0
15.1.4.1
14.1.4.4
13.1.5
K67397230: BIG-IP ASM, F5 Advanced WAF, and NGINX App Protect normalizing security exposure BIG-IP (Advanced WAF, ASM) 16.1.0 - 16.1.2
15.1.0 - 15.1.4
14.1.0 - 14.1.4 17.0.0
16.1.2.1
15.1.5
14.1.4.6
NGINX App Protect 3.0.0 - 3.6.0
2.0.0 - 2.3.0
1.0.0 - 1.3.0 3.7.0
K53593534: BIG-IP ASM and F5 Advanced WAF attack signature check failure on certain HTTP requests BIG-IP (Advanced WAF, ASM) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K39002226: F5 Advanced WAF and BIG-IP ASM multipart request security exposure BIG-IP (Advanced WAF, ASM) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K94142349: BIG-IP Advanced WAF and ASM WebSocket security exposure BIG-IP (Advanced WAF, ASM) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K85021277: BIG-IP DNSSEC security exposure BIG-IP (DNS) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
K92306170: BIG-IP AFM single endpoint flood/sweep DoS vector security exposure BIG-IP (AFM) 16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.973 High

EPSS

Percentile

99.9%