F5 announced seven new vulnerabilities in their BIG-IP and BIG-IQ products, including 4 critical CVEs about remote code execution (RCE).
Successful exploitation of the critical vulnerabilities would likely lead to a full system compromise. Attackers would reportedly be able to intercept application traffic from the controller and move laterally to the victims’ internal network. System administrators are strongly recommended to apply the fixes as soon as possible.
Below are the vulnerabilities being discovered and please find related patches in the column of ‘Fixed versions’:
| Vulnerabilities | Potential Impact | Affected products | Affected versions | Appliance mode / Non-Appliance mode |
Control plane / Data plane | Fixed versions |
| CVE-2021-22986
(Critical) |
Remote Code Execution | BIG-IP (All modules) | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 |
Both | Control plane – iControl REST | 16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 |
| BIG-IQ | 7.1.0-7.1.0.2 7.0.0-7.0.0.1 6.0.0-6.1.0 |
N/A | Control plane – iControl REST | 8.0.0 7.1.0.3 7.0.0.2 |
||
| CVE-2021-22987
(Critical) |
Remote Code Execution | BIG-IP (All modules) | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2 |
Appliance mode | Control plane – TMUI | 16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3 |
| CVE-2021-22988
(High) |
Remote Code Execution | BIG-IP (All Modules) | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2 |
Non-Appliance Mode | Control plane – TMUI | 16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3 |
| CVE-2021-22989
(High) |
Remote Code Execution | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2 |
Appliance mode | Control plane – TMUI | 16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3 |
| CVE-2021-22990
(Medium) |
Remote Code Execution | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2 |
Non-Appliance mode | Control plane – TMUI | 16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3 |
| CVE-2021-22991
(Critical) |
Remote Code Execution, Denial of Service | BIG-IP (All Modules) | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 |
Both | Data plane | 16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 |
| CVE-2021-22992
(Critical) |
Remote Code Execution, Denial of Service | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2 |
Both | Data plane | 16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3 |
Published on: Mar 2021
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
| Cookie | Duration | Description |
|---|---|---|
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
(+852) 39438845
