F5 Vulnerabilities in BIG-IP and BIG-IQ products

F5 announced seven new vulnerabilities in their BIG-IP and BIG-IQ products, including 4 critical CVEs about remote code execution (RCE).

Successful exploitation of the critical vulnerabilities would likely lead to a full system compromise. Attackers would reportedly be able to intercept application traffic from the controller and move laterally to the victims’ internal network. System administrators are strongly recommended to apply the fixes as soon as possible.

Vulnerabilities, Affected Product Versions & Fixed Versions

Below are the vulnerabilities being discovered and please find related patches in the column of ‘Fixed versions’:

Vulnerabilities	Potential Impact	Affected products	Affected versions	Appliance mode / Non-Appliance mode	Control plane / Data plane	Fixed versions
CVE-2021-22986 (Critical)	Remote Code Execution	BIG-IP (All modules)	16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2	Both	Control plane – iControl REST	16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3
CVE-2021-22986 (Critical)	Remote Code Execution	BIG-IQ	7.1.0-7.1.0.2 7.0.0-7.0.0.1 6.0.0-6.1.0	N/A	Control plane – iControl REST	8.0.0 7.1.0.3 7.0.0.2
CVE-2021-22987 (Critical)	Remote Code Execution	BIG-IP (All modules)	16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2	Appliance mode	Control plane – TMUI	16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3
CVE-2021-22988 (High)	Remote Code Execution	BIG-IP (All Modules)	16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2	Non-Appliance Mode	Control plane – TMUI	16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3
CVE-2021-22989 (High)	Remote Code Execution	BIG-IP Advanced WAF/ASM	16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2	Appliance mode	Control plane – TMUI	16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3
CVE-2021-22990 (Medium)	Remote Code Execution	BIG-IP Advanced WAF/ASM	16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2	Non-Appliance mode	Control plane – TMUI	16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3
CVE-2021-22991 (Critical)	Remote Code Execution, Denial of Service	BIG-IP (All Modules)	16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2	Both	Data plane	16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3
CVE-2021-22992 (Critical)	Remote Code Execution, Denial of Service	BIG-IP Advanced WAF/ASM	16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2	Both	Data plane	16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3

References:

F5 Article: Overview of F5 critical vulnerabilities (March 2021)

Published on: Mar 2021

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.