F5, a cloud security and application delivery network (ADN) provider, released updates on Wednesday to fix 43 problems across its products.

One issue is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated Low in severity, out of the 43 discussed.

The most serious of the problems is CVE-2022-1388, which has a CVSS score of 9.8 out of ten and is caused by a lack of authentication checks, allowing an attacker to seize control of an affected system.

“An unauthenticated attacker having network access to the BIG-IP system via the management port and/or self IP addresses may be able to execute arbitrary system instructions, create or delete files, or disable services,” according to F5.

“This is solely a control plane issue; there is no data plane exposure.” BIG-IP products with the following versions are affected by the security issue, which was found internally, according to the business.

  •     16.1.0 – 16.1.2
  •     15.1.0 – 15.1.5
  •     14.1.0 – 14.1.4
  •     13.1.0 – 13.1.4
  •     12.1.0 – 12.1.6
  •     11.6.1 – 11.6.5

Versions 17.0.0,,,, and 13.1.5 feature patches for the iControl REST authentication bypass issue. CVE-2022-1388 does not affect other F5 products such as BIG-IQ Centralized Management, F5OS-A, F5OS-C, or Traffix SDC.

F5 has also provided workarounds till the updates are implemented –

  • By using your own IP address, you may prevent iControl REST access.
  • Through the administrative interface, you can disable iControl REST access.
  • Make changes to the BIG-IP httpd settings.

Authenticated attackers may overcome Appliance mode limitations and execute arbitrary JavaScript code in the context of the presently logged-in user, among other flaws fixed in the upgrade.

Due to the widespread use of F5 appliances in enterprise networks, it’s critical that organizations implement the updates as soon as possible to prevent threat actors from leveraging the attack vector for first access.

The security updates follow the addition of five additional defects to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog based on active exploitation evidence –

  •     CVE-2021-1789 – Apple Multiple Products Type Confusion Vulnerability
  •     CVE-2019-8506 – Apple Multiple Products Type Confusion Vulnerability
  •     CVE-2014-4113 – Microsoft Win32k Privilege Escalation Vulnerability
  •     CVE-2014-0322 – Microsoft Internet Explorer Use-After-Free Vulnerability
  •     CVE-2014-0160 – OpenSSL Information Disclosure Vulnerability

Source: https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html