F5 Big-IP iControl REST Vulnerability – CVE-2022-1388 – and others
Security Bulletin
On 4th May 2022, F5 announced a Critical vulnerability in Big-IP iControl REST. The vulnerability may allow an unauthenticated attacker with network access to Big-IP through the management port and/or direct connection via an internal network (self IP) to execute arbitrary system commands, access or modify files, or disable services on the control plane.
This vulnerability has been assigned CVE-2022-1388 with a CVSS 3.1 score of 9.8 (Critical). CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
F5 has released security updates to address this vulnerability.
F5 also announced 17 High severity vulnerabilities and 24 Medium severity vulnerabilities across its products.
Affected Products
F5 products affected by CVE-2022-1388 are as follows:
| Product | Branch | Vulnerable | Fixed |
| Big-IP (all modules) | 17.x | None | 17.0.0 |
| 16.x | 16.1.0 – 16.1.2 | 16.1.2.2 | |
| 15.x | 15.1.0 – 15.1.5 | 15.1.5.1 | |
| 14.x | 14.1.0 – 14.1.4 | 14.1.4.6 | |
| 13.x | 13.1.0 – 13.1.4 | 13.1.5 | |
| 12.x | 12.1.0 – 12.1.6 | Will not fix | |
| 11.x | 11.6.1 – 11.6.5 | Will not fix |
Big-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are NOT vulnerable.