27th October 2023
Summary
F5 has announced a Critical severity vulnerability in the F5 BIG-IP Configuration Utility. CVE-2023-46747 (CVSS 3.1: 9.8) is an Unauthenticated Remote Code Execution vulnerability which may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.
F5 has released patches as listed below for affected products and also details a workaround in its bulletin.
Affected Products
- 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
- 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
- 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
- 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
- 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)
You can also use iHealth to diagnose a vulnerability for BIG-IP and BIG-IQ systems.
Recommendations
Due to the Critical severity of this vulnerability and the key importance of BIG-IP, organisations are recommended to patch this vulnerability ASAP.