Of the 29 bugs dealt with, 13 are substantial-severity flaws, 15 are rated medium, and just one is rated very low in severity.
Chief among the them is CVE-2021-23031 (CVSS rating: 8.8), a vulnerability impacting Significant-IP State-of-the-art Web Application Firewall and Significant-IP Application Security Supervisor that permits an authenticated consumer to accomplish a privilege escalation.
“When this vulnerability is exploited, an authenticated attacker with accessibility to the Configuration utility can execute arbitrary procedure instructions, build or delete information, and/or disable expert services. This vulnerability may final result in total program compromise,” F5 explained in its advisory.
It is really worth noting that for clients managing the device in Appliance Manner, which applies added technical limits in delicate sectors, the identical vulnerability arrives with a critical score of 9.9 out of 10. “As this attack is performed by legit, authenticated users, there is no feasible mitigation that also enables end users accessibility to the Configuration utility. The only mitigation is to get rid of entry for consumers who are not fully trusted,” the organization claimed.
The other key vulnerabilities fixed by F5 are stated beneath –
- CVE-2021-23025 (CVSS score: 7.2) – Authenticated remote command execution vulnerability in Significant-IP Configuration utility
- CVE-2021-23026 (CVSS score: 7.5) – Cross-web page request forgery (CSRF) vulnerability in iControl Soap
- CVE-2021-23027 and CVE-2021-23037 (CVSS score: 7.5) – TMUI DOM-centered and mirrored cross-website scripting (XSS) vulnerabilities
- CVE-2021-23028 (CVSS rating: 7.5) – Massive-IP Highly developed WAF and ASM vulnerability
- CVE-2021-23029 (CVSS rating: 7.5) – Large-IP Sophisticated WAF and ASM TMUI vulnerability
- CVE-2021-23030 and CVE-2021-23033 (CVSS rating: 7.5) – Large-IP Sophisticated WAF and ASM Websocket vulnerabilities
- CVE-2021-23032 (CVSS rating: 7.5) – Major-IP DNS vulnerability
- CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS score: 7.5) – Traffic Administration Microkernel vulnerabilities
Moreover, F5 has also patched a range of flaws that array from directory traversal vulnerability and SQL injection to open up redirect vulnerability and cross-web site request forgery, as perfectly as a MySQL database flaw that results in the databases consuming more storage space than expected when brute-drive safety features of the firewall are enabled.
With F5 products often becoming juicy targets for active exploitation makes an attempt by risk actors, it’s remarkably encouraged that users and directors put in up to date software program or use the needed mitigations as soon as feasible.
Observed this report fascinating? Abide by THN on Fb, Twitter and LinkedIn to examine far more exceptional articles we submit.
Some areas of this post are sourced from: