Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

F5 Patches Two Dozen Vulnerabilities in BIG-IP

Cloud security and application delivery solutions provider F5 this week announced patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products.

A total of 23 security flaws were addressed in the BIG-IP application delivery controller (ADC), including 13 high-severity issues, all of which carry a CVSS score of 7.5.

Cloud security and application delivery solutions provider F5 this week announced patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products.

A total of 23 security flaws were addressed in the BIG-IP application delivery controller (ADC), including 13 high-severity issues, all of which carry a CVSS score of 7.5.

The majority of the high-severity bugs can result in the termination of the Traffic Management Microkernel (TMM). Few others can lead to increase in memory resource utilization, virtual server freezes, or JavaScript code execution.

The security defects were identified in multiple BIG-IP versions, ranging from 11.x to 16.x. Fixes were included in versions 14.x, 15.x, and 16.x.

F5 also announced patches for two high-severity errors, in BIG-IQ centralized management (CVE-2022-23009 – CVSS score of 8.0) and NGINX controller API management (CVE-2022-23008 – CVSS score of 8.7).

The bugs can be exploited to access other BIG-IP devices managed by the same BIG-IQ system and to inject JavaScript code, respectively.

All of the nine medium-severity vulnerabilities patched this week affect BIG-IP, but one of them – namely CVE-2022-23023, leading to increased memory resource utilization – impacts BIG-IQ as well.

The flaws can lead to TMM termination, increase in resource utilization, virtual server freezes, failure of certain types of TCP connections, or the leak of local files.

Additionally, F5 patched one low-severity vulnerability leading to a DNS rebinding attack.

The United States Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review F5’s advisory and install the available software updates as soon as possible.

“A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system,” CISA notes.

Related: Researchers Raise Alarm for F5 BIG-IP Malware Attacks

Related: F5 Patches Four Critical Bugs in Big-IP Suite

Related: Vulnerability Exposes F5 BIG-IP Systems to Remote DoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.