Cloud security and application delivery solutions provider F5 this week announced patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products.
A total of 23 security flaws were addressed in the BIG-IP application delivery controller (ADC), including 13 high-severity issues, all of which carry a CVSS score of 7.5.
The majority of the high-severity bugs can result in the termination of the Traffic Management Microkernel (TMM). Few others can lead to increase in memory resource utilization, virtual server freezes, or JavaScript code execution.
The security defects were identified in multiple BIG-IP versions, ranging from 11.x to 16.x. Fixes were included in versions 14.x, 15.x, and 16.x.
F5 also announced patches for two high-severity errors, in BIG-IQ centralized management (CVE-2022-23009 – CVSS score of 8.0) and NGINX controller API management (CVE-2022-23008 – CVSS score of 8.7).
The bugs can be exploited to access other BIG-IP devices managed by the same BIG-IQ system and to inject JavaScript code, respectively.
All of the nine medium-severity vulnerabilities patched this week affect BIG-IP, but one of them – namely CVE-2022-23023, leading to increased memory resource utilization – impacts BIG-IQ as well.
The flaws can lead to TMM termination, increase in resource utilization, virtual server freezes, failure of certain types of TCP connections, or the leak of local files.
Additionally, F5 patched one low-severity vulnerability leading to a DNS rebinding attack.
The United States Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review F5’s advisory and install the available software updates as soon as possible.
“A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system,” CISA notes.
Related: Researchers Raise Alarm for F5 BIG-IP Malware Attacks
Related: F5 Patches Four Critical Bugs in Big-IP Suite
Related: Vulnerability Exposes F5 BIG-IP Systems to Remote DoS Attacks
More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
