Cloud security and application delivery network (ADN) company F5 on Wednesday introduced patches to comprise 43 bugs spanning its goods.
Of the 43 issues tackled, just one is rated Critical, 17 are rated Large, 24 are rated Medium, and 1 is rated small in severity.
Chief among the flaws is CVE-2022-1388, which carries a CVSS score of 9.8 out of a most of 10 and stems from a deficiency of authentication test, probably making it possible for an attacker to consider command of an affected procedure.
“This vulnerability may perhaps allow an unauthenticated attacker with network access to the Significant-IP procedure via the administration port and/or self IP addresses to execute arbitrary technique instructions, make or delete information, or disable services,” F5 reported in an advisory. “There is no data airplane publicity this is a control plane issue only.”
The security vulnerability, which the business claimed was discovered internally, impacts Significant-IP products with the adhering to versions –
- 16.1. – 16.1.2
- 15.1. – 15.1.5
- 14.1. – 14.1.4
- 13.1. – 13.1.4
- 12.1. – 12.1.6
- 11.6.1 – 11.6.5
Patches for the iControl Relaxation authentication bypass flaw have been introduced in variations 17.., 126.96.36.199, 188.8.131.52, 184.108.40.206, and 13.1.5. Other F5 merchandise this kind of as Major-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are not susceptible to CVE-2022-1388.
F5 has also offered non permanent workarounds until finally the fixes can be used –
- Block iControl Rest access as a result of the self IP tackle
- Block iControl Rest entry through the administration interface
- Modify the Major-IP httpd configuration
With F5 appliances widely deployed in company networks, it’s critical that organizations go promptly to implement the patches to avoid menace actors from exploiting the attack vector for preliminary access.
The security fixes arrive as the U.S. Cybersecurity and Infrastructure Security Company (CISA) additional five new flaws to its Regarded Exploited Vulnerabilities Catalog dependent on proof of active exploitation –
- CVE-2021-1789 – Apple Several Merchandise Form Confusion Vulnerability
- CVE-2019-8506 – Apple Numerous Products and solutions Form Confusion Vulnerability
- CVE-2014-4113 – Microsoft Get32k Privilege Escalation Vulnerability
- CVE-2014-0322 – Microsoft Internet Explorer Use-Just after-Free Vulnerability
- CVE-2014-0160 – OpenSSL Information and facts Disclosure Vulnerability
Located this article interesting? Comply with THN on Facebook, Twitter and LinkedIn to study extra unique material we post.
Some elements of this posting are sourced from: