Site icon API Security Blog

Overview of F5 vulnerabilities (May 2022)

On May 4, 2022, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory.

Distributed Cloud and Managed Services

Service | Status
—|—
F5 Distributed Cloud Services | Does not affect or has been resolved
Silverline | Does not affect or has been resolved
Threat Stack | Does not affect or has been resolved

* [Critical CVEs]()
* [High CVEs]()
* [Medium CVEs]()
* [Low CVEs]()
* [Security Exposures]()

Critical CVEs

Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in
—|—|—|—|—
[K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388]() | 9.8 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

High CVEs

Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in
—|—|—|—|—
[K52322100: Authenticated F5 BIG-IP Guided Configuration integrity check in Appliance mode vulnerability CVE-2022-25946]() | 8.7 – Appliance mode only | BIG-IP Guided Configuration | 3.0 – 8.0 | 9.0
BIG-IP (ASM, Advanced WAF, APM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0.8 – 13.1.5 | 17.0.0
[K68647001: Authenticated F5 BIG-IP Guided Configuration in Appliance mode vulnerability CVE-2022-27806]() | 8.7 – Appliance mode only | BIG-IP Guided Configuration | 3.0 – 8.0 | 9.0
BIG-IP (Advanced WAF, APM, ASM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0.8 – 13.1.5 | 17.0.0
[K70300233: BIG-IP TMUI XSS vulnerability CVE-2022-28707]() | 8.0 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
[K33552735: BIG-IP Edge Client for Windows vulnerability CVE-2022-29263]() | 7.8 | BIG-IP (APM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
BIG-IP APM Clients | 7.1.8 – 7.2.1 | 7.2.2
7.2.1.5
[K81952114: Authenticated iControl REST in Appliance mode vulnerability CVE-2022-26415]() | 7.7 – Appliance mode only | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K23454411: DNS profile vulnerability CVE-2022-26372]() | 7.5 | BIG-IP (all modules) | 15.1.0
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 16.0.0
15.1.0.2
14.1.4.6
13.1.5
[K25451853: TMUI XSS vulnerability CVE-2022-28716]() | 7.5 | BIG-IP (AFM, CGNAT, PEM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K16187341: BIG-IP ICAP profile vulnerability CVE-2022-27189]() | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K21317311: F5 BIG-IP Guided Configuration XSS vulnerability CVE-2022-27230]() | 7.5 | BIG-IP Guided Configuration | 3.0 – 8.0 | 9.0
BIG-IP (APM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0.8 – 13.1.5 | 17.0.0
[K37155600: BIG-IP RTSP profile vulnerability CVE-2022-28691]() | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.4
14.1.0 – 14.1.4
13.1.0 – 13.1.4 | 17.0.0
16.1.2.2
15.1.5
14.1.4.6
13.1.5
[K14229426: BIG-IP SSL vulnerability CVE-2022-29491]() | 7.5 | BIG-IP (LTM, Advanced WAF, ASM, APM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.4
14.1.0 – 14.1.4
13.1.0 – 13.1.5
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5
14.1.4.6
[K52340447: F5 ePVA vulnerability CVE-2022-28705]() | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K03442392: BIG-IP ASM and F5 Advanced WAF vulnerability CVE-2022-26890]() | 7.5 | BIG-IP (ASM, Advanced WAF, APM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.4
14.1.0 – 14.1.4
13.1.0 – 13.1.4 | 17.0.0
16.1.2.1
15.1.5
14.1.4.6
13.1.5
[K99123750: BIG-IP Stream profile vulnerability CVE-2022-28701]() | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.2 | 17.0.0
16.1.2.2
[K41440465: BIG-IP TMM vulnerability CVE-2022-26071]() | 7.4 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K54460845: BIG-IP Edge Client for Windows vulnerability CVE-2022-28714]() | 7.3 | BIG-IP (APM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
BIG-IP APM Clients | 7.2.1 – 7.2.1
7.1.6 – 7.1.9 | 7.2.2
7.2.1.5
[K08510472: BIG-IP TMUI vulnerability CVE-2022-28695]() | 7.2 – Standard deployment mode | BIG-IP (AFM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
9.1 – Appliance mode

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

Medium CVEs

Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in
—|—|—|—|—
[K92807525: TMUI XSS vulnerability CVE-2022-27878]() | 6.8 | BIG-IP Guided Configuration | 6.0 – 8.0 | 9.0
BIG-IP (all modules) | 16.0.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0.4 – 13.1.5 | 17.0.0
[K94093538: NGINX Service Mesh control plane vulnerability CVE-2022-27495]() | 6.5 | NGINX Service Mesh | 1.3.0 – 1.3.1 | 1.4.0
[K57555833: BIG-IP APM vulnerability CVE-2022-27634]() | 6.5 | BIG-IP (APM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5 | 17.0.0
16.1.2.2
15.1.5.1
[K47662005: BIG-IP Net HSM script vulnerability CVE-2022-28859]() | 6.5 | BIG-IP (all modules) | 16.0.0 – 16.0.1
15.1.0 – 15.1.5
14.1.0 – 14.1.4 | 17.0.0
16.1.0
15.1.5.1
14.1.4.6
[K06323049: BIG-IP IPsec ALG vulnerability CVE-2022-29473]() | 5.9 | BIG-IP (all modules) | 15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4 | 16.1.0
15.1.5.1
14.1.4.5
13.1.5
[K51539421: BIG-IP SIP ALG profile vulnerability CVE-2022-26370]() | 5.9 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.4
14.1.0 – 14.1.4 | 17.0.0
16.1.2.2
15.1.5
14.1.4.6
[K54082580: BIG-IP CGNAT LSN vulnerability CVE-2022-26517]() | 5.9 | BIG-IP (all modules) | 16.0.0 – 16.0.1
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4 | 17.0.0
16.1.0
15.1.5.1
14.1.4.6
13.1.5
[K03755971: BIG-IP DNS resolver vulnerability CVE-2022-28706]() | 5.9 | BIG-IP (all modules) | 16.0.0 – 16.1.1
15.1.0 – 15.1.5 | 17.0.0
16.1.2
15.1.5.1
[K85054496: BIG-IP DNS resolver vulnerability CVE-2022-28708]() | 5.9 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5 | 17.0.0
16.1.2.2
15.1.5.1
[K40019131: F5 Access for Android vulnerability CVE-2022-27875]() | 5.5 | F5 Access for Android | 3.0.6 – 3.0.7 | 3.0.8
[K57110035: BIG-IP APM Edge client for Windows logging vulnerability CVE-2022-27636]() | 5.5 | BIG-IP (APM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
BIG-IP APM Clients | 7.1.6 – 7.2.1 | 7.2.1.5
[K44233515: F5OS-A vulnerability CVE-2022-25990]() | 5.3 | F5OS-A | 1.0.0 | 1.0.1
[K82034427: BIG-IP FTP profile vulnerability CVE-2022-26130]() | 5.3 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K71103363: BIG-IP big3d vulnerability CVE-2022-29480]() | 5.3 | BIG-IP (all modules) | 13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 14.0.0
13.1.5
[K64124988: TMM IPv6 stack vulnerability CVE-2022-29479]() | 5.3 | BIG-IP (all modules) | 16.0.0 – 16.0.1
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.0
15.1.5.1
14.1.4.6
13.1.5
BIG-IQ Centralized Management | 8.0.0 – 8.2.0
7.0.0 – 7.1.0 | None
[K31856317: BIG-IP Packet Filters vulnerability CVE-2022-27182]() | 5.3 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
[K93543114: BIG-IP APM vulnerability CVE-2022-27181]() | 5.3 | BIG-IP (APM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K53197140: BIG-IP iControl REST and tmsh vulnerabilities CVE-2022-26835]() | 4.9 – Standard deployment mode | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
6.8 – Appliance mode
[K38271531: BIG-IP and BIG-IQ SCP vulnerability CVE-2022-26340]() | 4.9 | BIG-IP (all modules) | 16.0.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
BIG-IQ Centralized Management | 8.0.0 – 8.2.0
7.0.0 – 7.1.0 | None
[K24248011: Traffix SDC Configuration utility vulnerability CVE-2022-27662]() | 4.8 | Traffix SDC | 5.2.0
5.1.0 | 5.2.2
5.1.35
[K17341495: Traffix SDC Configuration utility vulnerability CVE-2022-27880]() | 4.8 | Traffix SDC | 5.2.0
5.1.0 | 5.2.2
5.1.35
[K15101402: iControl REST vulnerability CVE-2022-1468]() | 4.3 | BIG-IP (all modules) | 17.0.0
16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.5
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | None
[K41877405: BIG-IP TMUI vulnerability CVE-2022-27659]() | 4.3 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
[K59904248: iControl SOAP vulnerability CVE-2022-29474]() | 4.3 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

Low CVEs

Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in
—|—|—|—|—
[K49905324: BIG-IP TMUI CSRF vulnerability CVE-2022-1389]() | 3.1 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.5
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

Security Exposures

Security Advisory (Exposure) | Affected products | Affected versions1 | Fixes introduced in
—|—|—|—
[K68816502: A BIG-IP LTM policy referencing an external data group may not match traffic]() | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.5
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
[K74302282: BIG-IP APM RDP resource security exposure]() | BIG-IP (APM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K70134152: BIG-IP ASM, F5 Advanced WAF, and NGINX App Protect encoded directory traversal security exposure]() | BIG-IP (Advanced WAF, ASM) | 16.1.0
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.1
15.1.4
14.1.4.4
13.1.5
NGINX App Protect | 3.0.0 – 3.6.0
2.0.0 – 2.3.0
1.0.0 – 1.3.0 | 3.7.0
[K80945213: BIG-IP ASM and F5 Advanced WAF attack signature check failure security exposure]() | BIG-IP (Advanced WAF, ASM) | 15.1.0 – 15.1.4
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 16.1.0
15.1.4.1
14.1.4.4
13.1.5
[K67397230: BIG-IP ASM, F5 Advanced WAF, and NGINX App Protect normalizing security exposure]() | BIG-IP (Advanced WAF, ASM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.4
14.1.0 – 14.1.4 | 17.0.0
16.1.2.1
15.1.5
14.1.4.6
NGINX App Protect | 3.0.0 – 3.6.0
2.0.0 – 2.3.0
1.0.0 – 1.3.0 | 3.7.0
[K53593534: BIG-IP ASM and F5 Advanced WAF attack signature check failure on certain HTTP requests]() | BIG-IP (Advanced WAF, ASM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K39002226: F5 Advanced WAF and BIG-IP ASM multipart request security exposure]() | BIG-IP (Advanced WAF, ASM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K94142349: BIG-IP Advanced WAF and ASM WebSocket security exposure]() | BIG-IP (Advanced WAF, ASM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K85021277: BIG-IP DNSSEC security exposure]() | BIG-IP (DNS) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5
[K92306170: BIG-IP AFM single endpoint flood/sweep DoS vector security exposure ]() | BIG-IP (AFM) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4 | 17.0.0
16.1.2.2
15.1.5.1
14.1.4.6

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.Read More

Exit mobile version