Of the 29 bugs addressed, 13 are high-severity flaws, 15 are rated medium, and one is rated low in severity.
Chief amongst them is CVE-2021-23031 (CVSS rating: 8.8), a vulnerability affecting BIG-IP Superior Net Utility Firewall and BIG-IP Utility Safety Supervisor that enables an authenticated person to carry out a privilege escalation.
“When this vulnerability is exploited, an authenticated attacker with entry to the Configuration utility can execute arbitrary system instructions, create or delete recordsdata, and/or disable companies. This vulnerability could lead to full system compromise,” F5 stated in its advisory.
It is value noting that for purchasers operating the gadget in Appliance Mode, which applies further technical restrictions in delicate sectors, the identical vulnerability comes with a vital score of 9.9 out of 10. “As this assault is carried out by professional, authenticated customers, there is no such thing as a viable mitigation that additionally permits customers entry to the Configuration utility. The one mitigation is to take away entry for customers who are usually not fully trusted,” the corporate stated.
The opposite main vulnerabilities resolved by F5 are listed under –
- CVE-2021-23025 (CVSS rating: 7.2) – Authenticated distant command execution vulnerability in BIG-IP Configuration utility
- CVE-2021-23026 (CVSS rating: 7.5) – Cross-site request forgery (CSRF) vulnerability in iControl SOAP
- CVE-2021-23027 and CVE-2021-23037 (CVSS rating: 7.5) – TMUI DOM-based and mirrored cross-site scripting (XSS) vulnerabilities
- CVE-2021-23028 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM vulnerability
- CVE-2021-23029 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM TMUI vulnerability
- CVE-2021-23030 and CVE-2021-23033 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM Websocket vulnerabilities
- CVE-2021-23032 (CVSS rating: 7.5) – BIG-IP DNS vulnerability
- CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS rating: 7.5) – Site visitors Administration Microkernel vulnerabilities
Moreover, F5 has additionally patched plenty of flaws that vary from listing traversal vulnerability and SQL injection to open redirect vulnerability and cross-site request forgery, in addition to a MySQL database flaw that leads to the database consuming extra space for storing than anticipated when brute-force safety options of the firewall are enabled.
With F5 gadgets usually turning into juicy targets for energetic exploitation makes an attempt by menace actors, it is extremely advisable that customers and directors set up up to date software program or apply the mandatory mitigations as quickly as attainable.