This live blog contains information regarding the F5 BIG-IP vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on May 10, 2022.
Update May 10, 2022
13:00 | On the 4th of May 2022, F5 has published security advisory K23605346 regarding a new vulnerability in the iControl REST API, referred to as CVE-2022-1388. This vulnerability affects the F5 BIG-IP products and allows an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands with root privileges. There is no data plane exposure; this is a control plane issue only.
On the 9th of May 2022, a proof-of-concept exploit was published, and active exploitation of the vulnerability is noticed.
F5 has published patches and several workarounds. It is advised to apply these mitigative actions as soon as possible.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
This vulnerability has a CVSSv3 score of 9.8. The CVSS scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact.
Vulnerability CVE-2022-1388 allows an unauthenticated attacker to perform remote code execution with root privileges. Access to the iControl REST API via the management port and/or self IP addresses of the F5 BIG-IP solution is required. In most implementations these are not accessible from the internet.
Although limiting access to the management port and/or self IP addresses lowers the chance of exploitation, privilege escalation and/or lateral movement is likely in case an attacker already has access to internal systems.
Based on the F5 security advisory, the following products and versions are vulnerable:
- F5 BIG-IP versions 16.1.0 – 16.1.2
- F5 BIG-IP versions 15.1.0 – 15.1.5
- F5 BIG-IP versions 14.1.0 – 14.1.4
- F5 BIG-IP versions 13.1.0 – 13.1.4
- F5 BIG-IP versions 12.1.0 – 12.1.6
- F5 BIG-IP versions 11.6.1 – 11.6.5
F5 BIG-IP version 17 seems not to be impacted by this vulnerability.
F5 has published software updates mitigating the vulnerability for F5 BIG-IP versions 13 to 16. It is strongly advised to apply the patch as soon as possible, fixed versions:
- F5 BIG-IP version 16.x – 18.104.22.168
- F5 BIG-IP version 15.x – 22.214.171.124
- F5 BIG-IP version 14.x – 126.96.36.199
- F5 BIG-IP version 13.x – 13.1.5
No software updates will be published for versions 11.x and 12.x. The security advisory of F5 covers several workarounds for these versions and other cases where the security patch cannot be applied.
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.