Security News > 2021 > August > F5 Releases Critical Security Patch for BIG-IP and BIG-IQ Devices

F5 Releases Critical Security Patch for BIG-IP and BIG-IQ Devices
2021-08-27 00:48

Enterprise security and network appliance vendor F5 has released patches for more than two dozen security vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ devices that could potentially allow an attacker to perform a wide range of malicious actions, including accessing arbitrary files, escalating privileges, and executing JavaScript code.

Chief among them is CVE-2021-23031, a vulnerability affecting BIG-IP Advanced Web Application Firewall and BIG-IP Application Security Manager that allows an authenticated user to perform a privilege escalation.

It's worth noting that for customers running the device in Appliance Mode, which applies additional technical restrictions in sensitive sectors, the same vulnerability comes with a critical rating of 9.9 out of 10.

The other major vulnerabilities resolved by F5 are listed below -.

CVE-2021-23026 - Cross-site request forgery vulnerability in iControl SOAP. CVE-2021-23027 and CVE-2021-23037 - TMUI DOM-based and reflected cross-site scripting vulnerabilities.

F5 has also patched a number of flaws that range from directory traversal vulnerability and SQL injection to open redirect vulnerability and cross-site request forgery, as well as a MySQL database flaw that results in the database consuming more storage space than expected when brute-force protection features of the firewall are enabled.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/66BNzlwz29I/f5-releases-critical-security-patches.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-09-14 CVE-2021-23027 Cross-site Scripting vulnerability in F5 products
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.
network
f5 CWE-79
4.3
2021-09-14 CVE-2021-23026 Cross-Site Request Forgery (CSRF) vulnerability in F5 products
BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.
network
f5 CWE-352
6.8
2021-09-14 CVE-2021-23031 OS Command Injection vulnerability in F5 products
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility.
network
low complexity
f5 CWE-78
6.5
2021-09-14 CVE-2021-23037 Cross-site Scripting vulnerability in F5 products
On all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.
network
f5 CWE-79
4.3

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
F5 208 52 497 201 39 789