Cloud security and application delivery solutions provider F5 this week announced patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products.
A total of 23 security flaws were addressed in the BIG-IP application delivery controller (ADC), including 13 high-severity issues, all of which carry a CVSS score of 7.5.
The majority of the high-severity bugs can result in the termination of the Traffic Management Microkernel (TMM). Few others can lead to increase in memory resource utilization, virtual server freezes, or JavaScript code execution.
The security defects were identified in multiple BIG-IP versions, ranging from 11.x to 16.x. Fixes were included in versions 14.x, 15.x, and 16.x.
F5 also announced patches for two high-severity errors, in BIG-IQ centralized management (CVE-2022-23009 – CVSS score of 8.0) and NGINX controller API management (CVE-2022-23008 – CVSS score of 8.7).
The bugs can be exploited to access other BIG-IP devices managed by the same BIG-IQ system and to inject JavaScript code, respectively.
All of the nine medium-severity vulnerabilities patched this week affect BIG-IP, but one of them – namely CVE-2022-23023, leading to increased memory resource utilization – impacts BIG-IQ as well.
The flaws can lead to TMM termination, increase in resource utilization, virtual server freezes, failure of certain types of TCP connections, or the leak of local files.
Additionally, F5 patched one low-severity vulnerability leading to a DNS rebinding attack.
The United States Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review F5’s advisory and install the available software updates as soon as possible.
“A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system,” CISA notes.
Related: Researchers Raise Alarm for F5 BIG-IP Malware Attacks
Related: F5 Patches Four Critical Bugs in Big-IP Suite
Related: Vulnerability Exposes F5 BIG-IP Systems to Remote DoS Attacks
