Vulnerabilities > CVE-2022-23031 - XXE vulnerability in F5 products

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

CWE-611

NVD

Published: 2022-01-25

Updated: 2022-02-01

Summary

On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vulnerable Configurations

Part	Description	Count
Application	F5 F5 BIG IP Advanced WEB Application Firewall 14.1.0 F5 BIG IP Advanced WEB Application Firewall 14.1.0.1 F5 BIG IP Advanced WEB Application Firewall 14.1.0.3 F5 BIG IP Advanced WEB Application Firewall 14.1.2 F5 BIG IP Advanced WEB Application Firewall 14.1.2-0.0.37 F5 BIG IP Advanced WEB Application Firewall 14.1.2-0.89.37 F5 BIG IP Advanced WEB Application Firewall 14.1.2.1 F5 BIG IP Advanced WEB Application Firewall 14.1.2.1-0.0.4 F5 BIG IP Advanced WEB Application Firewall 14.1.2.2 F5 BIG IP Advanced WEB Application Firewall 14.1.2.2-0.0.4 F5 BIG IP Advanced WEB Application Firewall 14.1.2.3 F5 BIG IP Advanced WEB Application Firewall 14.1.2.3-0.0.5 F5 BIG IP Advanced WEB Application Firewall 14.1.2.5 F5 BIG IP Advanced WEB Application Firewall 14.1.2.5-0.0.3 F5 BIG IP Advanced WEB Application Firewall 14.1.2.6 F5 BIG IP Advanced WEB Application Firewall 14.1.2.6-0.0.2 F5 BIG IP Advanced WEB Application Firewall 14.1.2.7 F5 BIG IP Advanced WEB Application Firewall 14.1.2.7-0.0.5 F5 BIG IP Advanced WEB Application Firewall 14.1.2.8 F5 BIG IP Advanced WEB Application Firewall 14.1.3.1 F5 BIG IP Advanced WEB Application Firewall 14.1.4 F5 BIG IP Advanced WEB Application Firewall 15.1.0 F5 BIG IP Advanced WEB Application Firewall 15.1.0.2 F5 BIG IP Advanced WEB Application Firewall 15.1.0.4 F5 BIG IP Advanced WEB Application Firewall 15.1.0.5 F5 BIG IP Advanced WEB Application Firewall 15.1.1 F5 BIG IP Advanced WEB Application Firewall 15.1.2 F5 BIG IP Advanced WEB Application Firewall 15.1.2.1 F5 BIG IP Advanced WEB Application Firewall 16.0.0 F5 BIG IP Advanced WEB Application Firewall 16.0.1 F5 BIG IP Advanced WEB Application Firewall 16.0.1.1 F5 BIG IP Advanced WEB Application Firewall 16.1.0 F5 BIG IP Application Security Manager 14.1.0 F5 BIG IP Application Security Manager 14.1.0.1 F5 BIG IP Application Security Manager 14.1.0.2 F5 BIG IP Application Security Manager 14.1.0.2.0.45.4 F5 BIG IP Application Security Manager 14.1.0.2.0.62.4 F5 BIG IP Application Security Manager 14.1.0.3 F5 BIG IP Application Security Manager 14.1.0.3.0.79.6 F5 BIG IP Application Security Manager 14.1.0.3.0.97.6 F5 BIG IP Application Security Manager 14.1.0.3.0.99.6 F5 BIG IP Application Security Manager 14.1.0.5 F5 BIG IP Application Security Manager 14.1.0.5.0.15.5 F5 BIG IP Application Security Manager 14.1.0.5.0.36.5 F5 BIG IP Application Security Manager 14.1.0.5.0.40.5 F5 BIG IP Application Security Manager 14.1.0.6 F5 BIG IP Application Security Manager 14.1.0.6.0.11.9 F5 BIG IP Application Security Manager 14.1.0.6.0.14.9 F5 BIG IP Application Security Manager 14.1.0.6.0.68.9 F5 BIG IP Application Security Manager 14.1.0.6.0.70.9 F5 BIG IP Application Security Manager 14.1.2 F5 BIG IP Application Security Manager 14.1.2-0.0.37 F5 BIG IP Application Security Manager 14.1.2-0.89.37 F5 BIG IP Application Security Manager 14.1.2.0.11.37 F5 BIG IP Application Security Manager 14.1.2.0.18.37 F5 BIG IP Application Security Manager 14.1.2.0.32.37 F5 BIG IP Application Security Manager 14.1.2.1 F5 BIG IP Application Security Manager 14.1.2.1-0.0.4 F5 BIG IP Application Security Manager 14.1.2.1.0.14.4 F5 BIG IP Application Security Manager 14.1.2.1.0.16.4 F5 BIG IP Application Security Manager 14.1.2.1.0.34.4 F5 BIG IP Application Security Manager 14.1.2.1.0.46.4 F5 BIG IP Application Security Manager 14.1.2.1.0.83.4 F5 BIG IP Application Security Manager 14.1.2.1.0.97.4 F5 BIG IP Application Security Manager 14.1.2.1.0.99.4 F5 BIG IP Application Security Manager 14.1.2.1.0.105.4 F5 BIG IP Application Security Manager 14.1.2.1.0.111.4 F5 BIG IP Application Security Manager 14.1.2.1.0.115.4 F5 BIG IP Application Security Manager 14.1.2.1.0.122.4 F5 BIG IP Application Security Manager 14.1.2.2 F5 BIG IP Application Security Manager 14.1.2.2-0.0.4 F5 BIG IP Application Security Manager 14.1.2.3 F5 BIG IP Application Security Manager 14.1.2.3-0.0.5 F5 BIG IP Application Security Manager 14.1.2.4 F5 BIG IP Application Security Manager 14.1.2.5 F5 BIG IP Application Security Manager 14.1.2.5-0.0.3 F5 BIG IP Application Security Manager 14.1.2.6 F5 BIG IP Application Security Manager 14.1.2.6-0.0.2 F5 BIG IP Application Security Manager 14.1.2.7 F5 BIG IP Application Security Manager 14.1.2.7-0.0.5 F5 BIG IP Application Security Manager 14.1.2.8 F5 BIG IP Application Security Manager 14.1.3.1 F5 BIG IP Application Security Manager 15.1.0 F5 BIG IP Application Security Manager 15.1.0.1 F5 BIG IP Application Security Manager 15.1.0.2 F5 BIG IP Application Security Manager 15.1.0.3 F5 BIG IP Application Security Manager 15.1.0.4 F5 BIG IP Application Security Manager 15.1.0.5 F5 BIG IP Application Security Manager 15.1.1 F5 BIG IP Application Security Manager 15.1.2 F5 BIG IP Application Security Manager 15.1.2.1 F5 BIG IP Application Security Manager 16.0.0 F5 BIG IP Application Security Manager 16.0.1 F5 BIG IP Application Security Manager 16.0.1.1 F5 BIG IP Fraud Protection Service 14.1.0 F5 BIG IP Fraud Protection Service 14.1.0.1 F5 BIG IP Fraud Protection Service 14.1.0.2 F5 BIG IP Fraud Protection Service 14.1.0.2.0.45.4 F5 BIG IP Fraud Protection Service 14.1.0.2.0.62.4 F5 BIG IP Fraud Protection Service 14.1.0.3 F5 BIG IP Fraud Protection Service 14.1.0.3.0.79.6 F5 BIG IP Fraud Protection Service 14.1.0.3.0.97.6 F5 BIG IP Fraud Protection Service 14.1.0.3.0.99.6 F5 BIG IP Fraud Protection Service 14.1.0.5.0.15.5 F5 BIG IP Fraud Protection Service 14.1.0.5.0.36.5 F5 BIG IP Fraud Protection Service 14.1.0.5.0.40.5 F5 BIG IP Fraud Protection Service 14.1.0.6 F5 BIG IP Fraud Protection Service 14.1.0.6.0.11.9 F5 BIG IP Fraud Protection Service 14.1.0.6.0.14.9 F5 BIG IP Fraud Protection Service 14.1.0.6.0.68.9 F5 BIG IP Fraud Protection Service 14.1.0.6.0.70.9 F5 BIG IP Fraud Protection Service 14.1.2 F5 BIG IP Fraud Protection Service 14.1.2-0.0.37 F5 BIG IP Fraud Protection Service 14.1.2-0.89.37 F5 BIG IP Fraud Protection Service 14.1.2.0.11.37 F5 BIG IP Fraud Protection Service 14.1.2.0.18.37 F5 BIG IP Fraud Protection Service 14.1.2.0.32.37 F5 BIG IP Fraud Protection Service 14.1.2.1 F5 BIG IP Fraud Protection Service 14.1.2.1-0.0.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.14.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.16.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.34.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.46.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.83.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.97.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.99.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.105.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.111.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.115.4 F5 BIG IP Fraud Protection Service 14.1.2.1.0.122.4 F5 BIG IP Fraud Protection Service 14.1.2.2 F5 BIG IP Fraud Protection Service 14.1.2.2-0.0.4 F5 BIG IP Fraud Protection Service 14.1.2.3 F5 BIG IP Fraud Protection Service 14.1.2.3-0.0.5 F5 BIG IP Fraud Protection Service 14.1.2.4 F5 BIG IP Fraud Protection Service 14.1.2.5 F5 BIG IP Fraud Protection Service 14.1.2.5-0.0.3 F5 BIG IP Fraud Protection Service 14.1.2.6 F5 BIG IP Fraud Protection Service 14.1.2.6-0.0.2 F5 BIG IP Fraud Protection Service 14.1.2.7 F5 BIG IP Fraud Protection Service 14.1.2.7-0.0.5 F5 BIG IP Fraud Protection Service 14.1.2.8 F5 BIG IP Fraud Protection Service 14.1.3.1 F5 BIG IP Fraud Protection Service 14.1.4 F5 BIG IP Fraud Protection Service 15.1.0 F5 BIG IP Fraud Protection Service 15.1.0.1 F5 BIG IP Fraud Protection Service 15.1.0.2 F5 BIG IP Fraud Protection Service 15.1.0.3 F5 BIG IP Fraud Protection Service 15.1.0.4 F5 BIG IP Fraud Protection Service 15.1.0.5 F5 BIG IP Fraud Protection Service 15.1.1 F5 BIG IP Fraud Protection Service 15.1.2 F5 BIG IP Fraud Protection Service 15.1.2.1 F5 BIG IP Fraud Protection Service 16.0.0 F5 BIG IP Fraud Protection Service 16.0.1 F5 BIG IP Fraud Protection Service 16.0.1.1	156

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://support.f5.com/csp/article/K61112120