F5 Big-IP iControl REST Vulnerability – CVE-2022-1388 – and others
On 4th May 2022, F5 announced a Critical vulnerability in Big-IP iControl REST. The vulnerability may allow an unauthenticated attacker with network access to Big-IP through the management port and/or direct connection via an internal network (self IP) to execute arbitrary system commands, access or modify files, or disable services on the control plane.
This vulnerability has been assigned CVE-2022-1388 with a CVSS 3.1 score of 9.8 (Critical). CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
F5 has released security updates to address this vulnerability.
F5 also announced 17 High severity vulnerabilities and 24 Medium severity vulnerabilities across its products.
F5 products affected by CVE-2022-1388 are as follows:
|Big-IP (all modules)||17.x||None||17.0.0|
|16.x||16.1.0 – 16.1.2||18.104.22.168|
|15.x||15.1.0 – 15.1.5||22.214.171.124|
|14.x||14.1.0 – 14.1.4||126.96.36.199|
|13.x||13.1.0 – 13.1.4||13.1.5|
|12.x||12.1.0 – 12.1.6||Will not fix|
|11.x||11.6.1 – 11.6.5||Will not fix|
Big-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are NOT vulnerable.