Overview of F5 vulnerabilities (August 2022)
Discription

On August 3, 2022, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory.

Distributed Cloud and Managed Services

Service | Status
—|—
F5 Distributed Cloud Services | Does not affect or has been resolved
Silverline | Does not affect or has been resolved
Threat Stack | Does not affect or has been resolved

* [High CVEs]()
* [Medium CVEs]()
* [Low CVEs]()
* [Security Exposures]()

High CVEs

Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in
—|—|—|—|—
[K11010341: Authenticated iControl REST in Appliance mode vulnerability CVE-2022-35243]() | 8.7 – Appliance mode only | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.5 | 17.0.0
16.1.3
15.1.5.1
14.1.5
[K55580033: iControl REST vulnerability CVE-2022-35728]() | 8.1 | BIG-IP (all modules) | 17.0.0
16.1.0 – 16.1.3
15.1.0 – 15.1.6
14.1.0 – 14.1.5
13.1.0 – 13.1.5 | 17.0.0.1
16.1.3.1
15.1.6.1
14.1.5.1
BIG-IQ Centralized Management | 8.0.0 – 8.1.0
7.0.0 – 7.1.0 | 8.2.0
[K93504311: TMM vulnerability CVE-2022-34655]() | 7.5 | BIG-IP (all modules) | 16.0.0 – 16.0.1
15.1.0 – 15.1.6
14.1.0 – 14.1.4 | 17.0.0
16.1.0
16.0.1.1
15.1.6.1
14.1.5
[K58235223: BIG-IP APM access policy vulnerability CVE-2022-35245]() | 7.5 | BIG-IP (APM) | 16.1.0 – 16.1.3
15.1.0 – 15.1.6
14.1.0 – 14.1.5 | 17.0.0
16.1.3.1
15.1.6.1
14.1.5.1
[K28405643: BIG-IP Message Routing MQTT vulnerability CVE-2022-35240]() | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.6
14.1.0 – 14.1.4 | 17.0.0
16.1.2.2
15.1.6.1
14.1.5
[K79933541: HTTP2 profile vulnerability CVE-2022-35236]() | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.6
14.1.0 – 14.1.4 | 17.0.0
16.1.2.2
15.1.6.1
14.1.5
[K59197053: BIG-IP TLS1.3 iRule vulnerability CVE-2022-34651]() | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.3
15.1.0 – 15.1.6 | 17.0.0
16.1.3.1
15.1.6.1
[K16852653: TMM vulnerability CVE-2022-32455]() | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.2
15.1.0 – 15.1.6
14.1.0 – 14.1.4
13.1.0 – 13.1.5 | 17.0.0
16.1.2.2
15.1.6.1
14.1.5
[K66510514: TMM vulnerability CVE-2022-34862]() | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.3
15.1.0 – 15.1.6
14.1.0 – 14.1.4
13.1.0 – 13.1.5 | 17.0.0
16.1.3.1
15.1.6.1
14.1.5
[K52534925: BIG-IP APM and SSL Orchestrator vulnerability CVE-2022-33203]() | 7.5 | BIG-IP (APM and SSL Orchestrator) | 16.1.0 – 16.1.2
15.1.0 – 15.1.6
14.1.0 – 14.1.4 | 17.0.0
16.1.3
15.1.6.1
14.1.5
[K90024104: BIG-IP HTTP MRF vulnerability CVE-2022-35272]() | 7.5 | BIG-IP (all modules) | 17.0.0
16.1.0 – 16.1.3 | 17.0.0.1
16.1.3.1
[K13213418: BIG-IP monitor configuration vulnerability CVE-2022-35735]() | 7.2 | BIG-IP (all modules) | 16.1.0 – 16.1.3
15.1.0 – 15.1.6
14.1.0 – 14.1.5
13.1.0 – 13.1.5 | 17.0.0
16.1.3.1
15.1.6.1
14.1.5.1

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

Medium CVEs

Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in
—|—|—|—|—
[K34893234: BIG-IP APM Appliance mode vulnerability CVE-2022-31473]() | 6.8 – Appliance mode only | BIG-IP (APM) | 16.1.0
15.1.0 – 15.1.3 | 17.0.0
16.1.1
15.1.4
[K80970653: BIG-IP iRules vulnerability CVE-2022-33962]() | 6.7 | BIG-IP (all modules) | 17.0.0
16.1.0 – 16.1.3
15.1.0 – 15.1.6
14.1.0 – 14.1.5
13.1.0 – 13.1.5 | 17.0.0.1
16.1.3.1
15.1.6.1
14.1.5.1
[K37080719: NGINX Instance Manager vulnerability CVE-2022-35241]() | 6.5 | NGINX Instance Manager | 2.0.0 – 2.3.0
1.0.0 – 1.0.4 | 2.3.1
[K52125139: NGINX Ingress Controller vulnerability CVE-2022-30535]() | 6.5 | NGINX Ingress Controller | 2.0.0 – 2.2.0
1.0.0 – 1.12.4 | 2.3.0
[K34511555: BIG-IP AWS vulnerability CVE-2022-34844]() | 5.9 | BIG-IP (all modules) | 16.1.0 – 16.1.3
15.1.0 – 15.1.6
| 17.0.0
16.1.3.1
15.1.6.1
BIG-IQ Centralized Management | 8.0.0 – 8.2.0 | None
[K38893457: BIG-IP DNS TMUI vulnerability CVE-2022-33947]() | 5.4 | BIG-IP (DNS) | 16.0.0 – 16.1.2
15.1.0 – 15.1.6
14.1.0 – 14.1.4
13.1.0 – 13.1.5 | 17.0.0
16.1.3
15.1.6.1
14.1.5
[K25046752: Traffic Intelligence feeds vulnerability CVE-2022-34865]() | 4.8 | BIG-IP (all modules) | 15.1.0 – 15.1.6
14.1.0 – 14.1.4
13.1.0 – 13.1.5 | 16.1.0
15.1.6.1
14.1.5
[K50310001: BIG-IP and BIG-IQ iControl SOAP vulnerability CVE-2022-34851]() | 4.3 | BIG-IP (all modules) | 17.0.0
16.1.0 – 16.1.3
15.1.0 – 15.1.6
14.1.0 – 14.1.5
13.1.0 – 13.1.5 | 17.0.0.1
16.1.3.1
15.1.6.1
14.1.5.1
BIG-IQ Centralized Management | 8.0.0 – 8.2.0 | None

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

Low CVEs

Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in
—|—|—|—|—
[K23465404: BIG-IP LTM and APM NTLM vulnerability CVE-2022-33968]() | 3.7 | BIG-IP (all modules) | 17.0.0
16.1.0 – 16.1.3
15.1.0 – 15.1.6
14.1.0 – 14.1.5
13.1.0 – 13.1.5 | 17.0.0.1
16.1.3.1
15.1.6.1
14.1.5.1

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

Security Exposures

Security Advisory (Exposure) | Affected products | Affected versions1 | Fixes introduced in
—|—|—|—
[K22251611: Attack signature check security exposure]() | BIG-IP (ASM/AWAF) | 16.1.0 – 16.1.2
15.1.0 – 15.1.6
14.1.0 – 14.1.4
13.1.0 – 13.1.5 | 17.0.0
16.1.2.2
15.1.6.1
14.1.5

1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.Read More

References

Back to Main
Subscribe for the latest news: