Security News > 2022 > May > F5, Cisco admins: Stop what you're doing and check if you need to install these patches

F5, Cisco admins: Stop what you're doing and check if you need to install these patches
2022-05-06 02:06

F5 Networks and Cisco this week issued warnings about serious, and in some cases critical, security vulnerabilities in their products.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services," as F5 put it in its advisory.

"The vulnerabilities are not dependent on one another," Cisco's Product Security Incident Response Team added in its advisory.

"Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities."

For its part, Cisco detailed three vulnerabilities - tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, found by a team calling itself the Orange Group - in its Enterprise NFVIS, which enables virtual network functions to be managed independently.

"An attacker could exploit this vulnerability by persuading an administrator to import a crafted file that will read data from the host and write it to any configured VM," Cisco PSIRT wrote.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/06/cisco-f5-networking-vulnerabilities/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-05-04 CVE-2022-20780 XXE vulnerability in Cisco Enterprise NFV Infrastructure Software
Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM.
network
low complexity
cisco CWE-611
7.4
7.4
2022-05-04 CVE-2022-20779 Improper Input Validation vulnerability in Cisco Enterprise NFV Infrastructure Software
Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM.
network
low complexity
cisco CWE-20
8.8
8.8
2022-05-04 CVE-2022-20777 Unspecified vulnerability in Cisco Enterprise NFV Infrastructure Software
Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM.
network
low complexity
cisco
critical
 9.9
9.9

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 2046 21 1773 1669 288 3751
F5 143 6 275 404 64 749