27th October 2023
F5 has announced a Critical severity vulnerability in the F5 BIG-IP Configuration Utility. CVE-2023-46747 (CVSS 3.1: 9.8) is an Unauthenticated Remote Code Execution vulnerability which may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.
F5 has released patches as listed below for affected products and also details a workaround in its bulletin.
- 17.1.0 (Fixed in 188.8.131.52 + Hotfix-BIGIP-184.108.40.206.0.75.4-ENG)
- 16.1.0 – 16.1.4 (Fixed in 220.127.116.11 + Hotfix-BIGIP-18.104.22.168.0.50.5-ENG)
- 15.1.0 – 15.1.10 (Fixed in 22.214.171.124 + Hotfix-BIGIP-126.96.36.199.0.44.2-ENG)
- 14.1.0 – 14.1.5 (Fixed in 188.8.131.52 + Hotfix-BIGIP-184.108.40.206.0.10.6-ENG)
- 13.1.0 – 13.1.5 (Fixed in 220.127.116.11 + Hotfix-BIGIP-18.104.22.168.0.20.2-ENG)
You can also use iHealth to diagnose a vulnerability for BIG-IP and BIG-IQ systems.
Due to the Critical severity of this vulnerability and the key importance of BIG-IP, organisations are recommended to patch this vulnerability ASAP.