Application service provider F5 has issued a security notice for two critical security vulnerabilities that allow an unauthenticated threat actor with network access to remote code execution in BIG-IP systems, a combination of software and hardware designed around access control, application availability, and security solutions.
In the statement made by F5, it was stated that the security vulnerabilities detected were found in the representative state transfer (REST) interface for the iControl framework used to communicate between F5 devices and users.
The identified security vulnerabilities are:
The vulnerability, code CVE-2022-41622, is caused by cross-site request forgery (CSRF) that affects BIG-IP and BIG-IQ products, allowing threat actors to gain root access to a device’s management interface.
The vulnerability code CVE-2022-41800 allows a threat actor with administrative privileges to execute code remotely on vulnerable systems via an RPM file.
BIG-IP product versions affected by these security vulnerabilities are as follows;
- 1.0 – 16.1.2
- 1.0 – 15.1.5
- 1.0 – 14.1.4
- 1.0 – 13.1.4
- 1.0 – 12.1.6
- 6.1 – 11.6.5
Stating that they will not release updates for 11. x (11.6.1 – 11.6.5) and 12. x (12.1.0 – 12.1.6) versions, F5 said that there is no information that security vulnerabilities have been exploited yet and that existing updates will be included in future versions as soon as possible and announced that it will. In order not to be the target of target-oriented attacks that can be carried out by using the vulnerability of the users, it is recommended that the published updates be implemented immediately.