K22505850: BIG-IP and BIG-IQ iControl REST vulnerability CVE-2022-41770

Security Advisory Description An authenticated iControl REST user can cause an increase in memory resource utilization, through undisclosed requests. CVE-2022-41770 Impact BIG-IP and BIG-IQ System performance degradation can occur until the process is either forced to restart or manually restarte...

K29149494: iControl REST vulnerability CVE-2019-6637

Security Advisory Description Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated...

K20541896: iControl REST and tmsh vulnerability CVE-2019-6621

Security Advisory Description On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin...

K20445457: iControl REST vulnerability CVE-2019-6620

Security Advisory Description Undisclosed iControl REST worker vulnerable to command injection for an Administrator user. CVE-2019-6620 Impact BIG-IP and BIG-IQ This vulnerability may bypass Appliance mode security by allowing the execution of arbitrary bash commands. In non-Appliance mode...

K11830089: BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2022-41617

Security Advisory Description When the F5 BIG-IP Advanced WAF or BIG-IP ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iControl REST interface. CVE-2022-41617 Impact On systems deployed in Standard or Appliance mode, this vulnerability may all...

K53854428: iControl SOAP vulnerability CVE-2021-23026

Security Advisory Description BIG-IP and BIG-IQ are vulnerable to cross-site request forgery CSRF attacks through iControl SOAP. CVE-2021-23026 Impact An attacker may trick authenticated users into performing critical actions. This vulnerability can only be exploited through the control plane and...

K06440657: BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Security Advisory Description The upload functionality in BIG-IP Advanced WAF and ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint. CVE-2021-23001 Impact An authenticated malicious user can upload malicious files to use in...

K87502622: iControl REST vulnerability CVE-2021-22978

Security Advisory Description Undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role. CVE-2021-22978 Impact An attacker may exploit this vulnerability using a crafted URL to a...

K47284724: iControl vulnerability CVE-2016-9256

Security Advisory Description Permissions enforced by iControl can lag behind the actual permissions assigned to a user if the rolemap is not reloaded between the time the permissions are changed and the time of the user's next request. This is a race condition that occurs rarely in normal usage;...

K74151369: Appliance Mode authenticated iControl REST vulnerability CVE-2021-23015

Security Advisory Description When running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. CVE-2021-23015 Note : This vulnerability is unrelated to the vulnerability describ...

K67825238: iControl REST vulnerability CVE-2019-6638

Security Advisory Description Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process. CVE-2019-6638 Impact All authenticated users, regardless of role, can exploit this vulnerability, which can result in a denial-of-service DoS for...

K44885536: iControl REST vulnerability CVE-2019-6622

Security Advisory Description Undisclosed iControl REST worker is vulnerable to command injection by an administrator or resource administrator user. This attack is only exploitable on multi-bladed systems. The vulnerability allows bypass of Appliance mode security on BIG-IP systems by allowing t...

K96639388: Overview of F5 vulnerabilities (April 2021)

Security Advisory Description On April 28th, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. The details of each issue can be found in the associate...

K15220: iControl vulnerability CVE-2014-2928

Security Advisory Description The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and PSM 11.0.0 through 11.5.1, BIG-IP AAM 11.4.0 through 11.5.1, BIG-IP AFM and PEM 11.3.0 through 11.5.1, BIG-IP Analytics 11.0.0 through 11.5.1, BIG-IP Edge Gateway, WebAccelerator, WOM 11.0.0 throu...

K68652018: iControl REST vulnerability CVE-2021-22974

Security Advisory Description An authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level. This vulnerability is due to an incomplete fix for CVE-2017-6167. CVE-2021-22974...

K41107914: iControl REST vulnerability CVE-2016-9251

Security Advisory Description In F5 BIG-IP 12.0.0 through 12.1.2, an authenticated attacker may be able to cause an escalation of privileges through a crafted iControl REST connection. CVE-2016-9251 Impact An authenticated attacker may be able to cause an escalation of privileges through a crafte...

K64855220: F5 TMUI and iControl Rest vulnerability CVE-2019-6634

Security Advisory Description High volume of malformed analytics report requests leads to instability in restjavad process. This causes issues with both iControl REST and some portions of TMUI. The attack requires an authenticated user with any role. CVE-2019-6634 Note: The No Access user role is...

K50974556: Overview of F5 vulnerabilities (August 2021)

Security Advisory Description On August 24, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated...

K15101402: iControl REST vulnerability CVE-2022-1468

Security Advisory Description An authenticated iControl REST user with at least guest role privileges can cause processing delays to iControl REST requests via undisclosed requests. CVE-2022-1468 Impact Processing delays to iControl REST requests can occur until the iControl REST daemon is either...

K24465120: iControl REST vulnerability CVE-2017-6167

Security Advisory Description Race conditions in iControl REST may lead to commands executed with different privilege levels than expected. CVE-2017-6167 Impact Sending asynchronous tasks using the iControl REST API may be processed as the wrong user and result in an error. Security Advisory Stat...