Security News > 2020 > July > F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch

F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch
2020-07-03 00:36

Network administrators are urged to patch their F5 BIG-IP application delivery controllers following the disclosure of a pair of critical remote takeover bugs.

The flaws in question, CVE-2020-5902 and CVE-2020-5903, lie within in a configuration tool known as the Traffic Management User Interface.

"The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network," said Mikhail Klyuchnikov of Positive Technologies who discovered and reported the vulnerabilities to F5. "RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation."

These flaws are particularly bad because the vulnerable BIG-IP gear is generally used by large enterprises to handle traffic to and from critical applications.

The flaws are present in BIG-IP versions 11 through 15, and the updated versions, released this week, are 15.1.0.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, and 11.6.5.2.


News URL

https://go.theregister.com/feed/www.theregister.com/2020/07/03/f5_critical_flaws_big_ip/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-07-01 CVE-2020-5902 Path Traversal vulnerability in F5 products
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
network
low complexity
f5 CWE-22
critical
9.8
2020-07-01 CVE-2020-5903 Cross-site Scripting vulnerability in F5 products
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility.
network
low complexity
f5 CWE-79
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
F5 141 6 267 399 64 736