F5 has released fixes for 12 High severity vulnerabilities that affect BIG-IP and BIG-IQ products.
An attacker could exploit these vulnerabilities and potentially take over impacted systems.
As revealed in a recent security advisory, F5 patched 12 High severity vulnerabilities (along with CVSS score):
- CVE-2022-35243: Authenticated iControl REST in Appliance mode vulnerability (CVSS 8.7)
- CVE-2022-35728: iControl REST vulnerability (CVSS 8.1)
- CVE-2022-34655: TMM vulnerability (CVSS 7.5)
- CVE-2022-35245: BIG-IP APM access policy vulnerability (CVSS 7.5)
- CVE-2022-35240: BIG-IP Message Routing MQTT vulnerability (CVSS 7.5)
- CVE-2022-35236: HTTP2 profile vulnerability (CVSS 7.5)
- CVE-2022-34651: BIG-IP TLS1.3 iRule vulnerability (CVSS 7.5)
- CVE-2022-32455: TMM vulnerability (CVSS 7.5)
- CVE-2022-34862: TMM vulnerability (CVSS 7.5)
- CVE-2022-33203: BIG-IP APM and SSL Orchestrator vulnerability (CVSS 7.5)
- CVE-2022-35272: BIG-IP HTTP MRF vulnerability (CVSS 7.5)
- CVE-2022-35735: BIG-IP monitor configuration vulnerability (CVSS 7.5).
The most severe of the issues CVE-2022-35243 could allow an authenticated user assigned the Administrator role to bypass Appliance mode restrictions, using an undisclosed iControl REST endpoint. The vulnerability affects all modules in BIG-IP when running in Appliance mode.
Moreover, F5 also addressed one Low and eight Medium severity vulnerabilities.
- Attackers could exploit Critical F5 BIG-IP vulnerability to execute arbitrary commands
- Critical F5 BIG-IP vulnerability (CVE-2021-22986) under active attack
- Top 30 most commonly exploited vulnerabilities over 2020 and 2021
- Microsoft May 2022 Security Updates addresses 73 vulnerabilities (7 rated Critical, 1 zero-day)