F5 Vulnerabilities in BIG-IP and BIG-IQ products

F5 announced seven new vulnerabilities in their BIG-IP and BIG-IQ products, including 4 critical CVEs about remote code execution (RCE).

Successful exploitation of the critical vulnerabilities would likely lead to a full system compromise. Attackers would reportedly be able to intercept application traffic from the controller and move laterally to the victims’ internal network. System administrators are strongly recommended to apply the fixes as soon as possible.

 

Vulnerabilities, Affected Product Versions & Fixed Versions

Below are the vulnerabilities being discovered and please find related patches in the column of ‘Fixed versions’:

Vulnerabilities Potential Impact Affected products Affected versions Appliance mode /
Non-Appliance mode
Control plane / Data plane Fixed versions
CVE-2021-22986

(Critical)

Remote Code Execution BIG-IP (All modules) 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
Both Control plane – iControl REST 16.0.1.1
15.1.2.1
14.1.4
13.1.3.6
12.1.5.3
BIG-IQ 7.1.0-7.1.0.2
7.0.0-7.0.0.1
6.0.0-6.1.0
N/A Control plane – iControl REST 8.0.0
7.1.0.3
7.0.0.2
CVE-2021-22987

(Critical)

Remote Code Execution BIG-IP (All modules) 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2
Appliance mode Control plane – TMUI 16.0.1.1
15.1.2.1
14.1.4
13.1.3.6
12.1.5.3
11.6.5.3
CVE-2021-22988

(High)

Remote Code Execution BIG-IP (All Modules) 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2
Non-Appliance Mode Control plane – TMUI 16.0.1.1
15.1.2.1
14.1.4
13.1.3.6
12.1.5.3
11.6.5.3
CVE-2021-22989

(High)

Remote Code Execution BIG-IP Advanced WAF/ASM 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2
Appliance mode Control plane – TMUI 16.0.1.1
15.1.2.1
14.1.4
13.1.3.6
12.1.5.3
11.6.5.3
CVE-2021-22990

(Medium)

Remote Code Execution BIG-IP Advanced WAF/ASM 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2
Non-Appliance mode Control plane – TMUI 16.0.1.1
15.1.2.1
14.1.4
13.1.3.6
12.1.5.3
11.6.5.3
CVE-2021-22991

(Critical)

Remote Code Execution, Denial of Service BIG-IP (All Modules) 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
Both Data plane 16.0.1.1
15.1.2.1
14.1.4
13.1.3.6
12.1.5.3
CVE-2021-22992

(Critical)

Remote Code Execution, Denial of Service BIG-IP Advanced WAF/ASM 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2
Both Data plane 16.0.1.1
15.1.2.1
14.1.4
13.1.3.6
12.1.5.3
11.6.5.3

 

References:

 

Published on: Mar 2021