F5, the multi-cloud management and application delivery and security solution provider has released 25 patches to address vulnerabilities in its BIG-IP, BIG-IQ, and NGINX Controller API Management solutions in its January 2022 quarterly security notification. 15 of the vulnerabilities are high-severity issues, with 9 medium-severity flaws, and one low-severity issue. The vulnerabilities could be exploited by an attacker in a denial-of-service attack, or in some cases, could allow an attacker to take control of a vulnerable system.
23 of the patches have been released to fix vulnerabilities in its BIG-IP application delivery, access control, and application security solutions, 13 of which are rated high-severity. The flaws affect several versions of the BIG-IP solutions from 11.x to 16.x and each has a CVSS severity score of 7.5 out of 10. The vulnerabilities could result in termination of the Management Microkernel (TMM) or virtual server freezes in a denial-of-service attack, or cause an increase in memory resource utilization. The patches address vulnerabilities in versions 14.x, 15.x, and 16.x.
The 9 medium severity flaws all affect F5 BIG-IP solutions and can result in termination of the TMM, an increase in memory resource utilization, an increase in CPU/disk resource utilization, or could cause the virtual server to stop processing new client connections and to cause certain types of TCP connections to fail.
The two most serious vulnerabilities affect NGINX Controller API Management and BIG-IQ Centralized Management. The NGINX Controller API Management – CVE-2022-23008 – has been assigned a CVSS severity score of 8.7 out of 10 and allows an authenticated attacker with access to the ‘user’ or ‘admin’ role to use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.
The BIG-IQ Centralized Management vulnerability, tracked as CVE-2022-23009, allows an authenticated administrative role user on a vulnerable BIG-IQ-managed BIG-IP device to access other BIG-IP devices managed by the same BIG-IQ system. The flaw has been assigned a CVSS score of 8.0 out of 10.
While none of the vulnerabilities are rated critical, F5 solutions have previously been targeted by hackers so prompt patching is strongly recommended. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is encouraging all users and administrators of F5 solutions to review the security advisory and implement mitigations as soon as possible.