Cloud security and application delivery solutions provider F5 this week announced patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products.
A total of 23 security flaws were addressed in the BIG-IP application delivery controller (ADC), including 13 high-severity issues, all of which carry a CVSS score of 7.5.
The security defects were identified in multiple BIG-IP versions, ranging from 11.x to 16.x. Fixes were included in versions 14.x, 15.x, and 16.x.
F5 also announced patches for two high-severity errors, in BIG-IQ centralized management (CVE-2022-23009 – CVSS score of 8.0) and NGINX controller API management (CVE-2022-23008 – CVSS score of 8.7).
All of the nine medium-severity vulnerabilities patched this week affect BIG-IP, but one of them – namely CVE-2022-23023, leading to increased memory resource utilization – impacts BIG-IQ as well.
The flaws can lead to TMM termination, increase in resource utilization, virtual server freezes, failure of certain types of TCP connections, or the leak of local files.
Additionally, F5 patched one low-severity vulnerability leading to a DNS rebinding attack.
The United States Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review F5’s advisory and install the available software updates as soon as possible.
“A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system,” CISA notes.