CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures

Rapid7 discovered several vulnerabilities and exposures in F5 BIG-IP and BIG-IQ devices running a customized distribution of CentOS detailed in F5's Base Operating Systems support article. The affected products are detailed in the vendor advisories below: CVE-2022-41622: BIG-IP and BIG-IQ are...

PT-2022-5573 · F5 · Big-Ip

Name of the Vulnerable Software and Affected Versions: BIG-IP versions prior to the fixed version Description: The issue is related to an undisclosed iControl REST endpoint in BIG-IP, allowing an authenticated user with the Administrator role to bypass Appliance mode restrictions when running in...

PT-2022-5572 · F5 · Big-Iq Centralized Management +1

Name of the Vulnerable Software and Affected Versions: BIG-IP and BIG-IQ Centralized Management affected versions not specified Description: The issue is related to a cross-site request forgery CSRF attack through the iControl SOAP interface, which can allow a remote attacker to execute arbitrary...

F5 BIG-IP 跨站请求伪造漏洞

F5 BIG-IP is an application delivery platform that integrates network traffic management, application security management, and load balancing from F5 USA. A security vulnerability exists in F5 BIG-IP. An attacker exploited the vulnerability to perform cross-site request forgery via iControl SOAP...

F5 Networks BIG-IP : Appliance mode iControl REST vulnerability (K13325942)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.3 / 15.1.8.1 / 16.1.3.3 / 17.0.0.2 / 17.1.0. It is, therefore, affected by a vulnerability as referenced in the K13325942 advisory. - In all versions of BIG-IP, when running in Appliance mode, an authenticated user...

F5 Networks BIG-IP : iControl SOAP vulnerability (K94221585)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.3 / 15.1.8.1 / 16.1.3.3 / 17.0.0.2 / 17.1.0. It is, therefore, affected by a vulnerability as referenced in the K94221585 advisory. BIG-IP and BIG-IQ are vulnerable to cross-site request forgery CSRF attacks through...

Vulnerabilities fixed in several F5 products

F5 has fixed several vulnerabilities in BIG-IP and NGINX. The vulnerabilities allow a malicious party to carry out attacks execute attacks that result in the following categories of damage: Denial-of-Service DoS Manipulation of data Circumvention of security measure Remote code execution...

CVE-2022-41770

In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests...

Design/Logic Flaw

In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests...

CVE-2022-41813 BIG-IP PEM and AFM TMUI, TMSH and iControl vulnerability CVE-2022-41813

In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when BIG-IP is provisioned with PEM or AFM module, an undisclosed input can cause Traffic Management Microkernel TMM to terminate...

CVE-2022-41770 BIG-IP and BIG-IQ iControl REST vulnerability CVE-2022-41770

In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests...

CVE-2022-41770 BIG-IP and BIG-IQ iControl REST vulnerability CVE-2022-41770

In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests...

CVE-2022-41770

CVE-2022-41770 affects BIG-IP and BIG-IQ iControl REST. An authenticated iControl REST user can cause memory resource usage to spike via undisclosed requests, potentially enabling DoS. Affected: BIG-IP (all modules) 13.1.x; 14.1.x before 14.1.5.1; 15.1.x before 15.1.7; 16.1.x before 16.1.3.1; 17....

CVE-2022-41617

CVE-2022-41617 affects BIG-IP BIG-IP Advanced WAF/ASM modules with an authenticated RCE via the iControl REST interface when provisioned. Affected software includes: BIG-IP 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1. The issue enables an aut...

CVE-2022-41617 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2022-41617

In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, When the Advanced WAF / ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iControl REST interface...

CVE-2022-41617 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2022-41617

In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, When the Advanced WAF / ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iControl REST interface...

F5 Networks BIG-IP : BIG-IP PEM and AFM TMUI, TMSH, and iControl REST vulnerability (K93723284)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5 / 15.1.6.1 / 16.1.3.1 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K93723284 advisory. When the BIG-IP system is provisioned with the PEM or AFM module, an undisclosed input can cause...

F5 BIG-IP 资源管理错误漏洞

F5 BIG-IP is an application delivery platform that integrates network traffic management, application security management, load balancing, and other features from F5 USA. A security vulnerability exists in F5 BIG-IP that originates from an authenticated iControl REST user who can cause an increas...

F5 Networks BIG-IP : BIG-IP and BIG-IQ iControl REST vulnerability (K22505850)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.1 / 15.1.7 / 16.1.3.1 / 17.0.0.1 / 17.1.0. It is, therefore, affected by a vulnerability as referenced in the K22505850 advisory. An authenticated iControl REST user can cause an increase in memory resource...

F5 Networks BIG-IP : BIG-IP Advanced WAF and ASM iControl REST vulnerability (K11830089)

The version of F5 Networks BIG-IP installed on the remote host is prior to 13.1.5.1 / 14.1.5.1 / 15.1.6.1 / 16.1.3.1 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K11830089 advisory. - In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5....