Of the 29 bugs addressed, 13 are high-severity flaws, 15 are rated medium, and one is rated low in severity.
Chief amongst them is(CVSS rating: 8.8), a vulnerability affecting BIG-IP Superior Internet Software Firewall and BIG-IP Software Safety Supervisor that permits an authenticated person to carry out a privilege escalation.
“When this vulnerability is exploited, an authenticated attacker with entry to the Configuration utility can execute arbitrary system instructions, create or delete recordsdata, and/or disable providers. This vulnerability might lead to full system compromise,” F5 stated in its advisory.
It is price noting that for patrons operating the gadget in, which applies further technical restrictions in delicate sectors, the identical vulnerability comes with a crucial ranking of 9.9 out of 10. “As this assault is carried out by reputable, authenticated customers, there is no such thing as a viable mitigation that additionally permits customers entry to the Configuration utility. The one mitigation is to take away entry for customers who aren’t utterly trusted,” the corporate stated.
The opposite main vulnerabilities resolved by F5 are listed beneath –
- CVE-2021-23025 (CVSS rating: 7.2) – Authenticated distant command execution vulnerability in BIG-IP Configuration utility
- CVE-2021-23026 (CVSS rating: 7.5) – Cross-site request forgery (CSRF) vulnerability in iControl SOAP
- CVE-2021-23027 and CVE-2021-23037 (CVSS rating: 7.5) – TMUI DOM-based and mirrored cross-site scripting (XSS) vulnerabilities
- CVE-2021-23028 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM vulnerability
- CVE-2021-23029 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM TMUI vulnerability
- CVE-2021-23030 and CVE-2021-23033 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM Websocket vulnerabilities
- CVE-2021-23032 (CVSS rating: 7.5) – BIG-IP DNS vulnerability
- CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS rating: 7.5) – Site visitors Administration Microkernel vulnerabilities
Moreover, F5 has additionally patched a lot of flaws that vary from listing traversal vulnerability and SQL injection to open redirect vulnerability and cross-site request forgery, in addition to a MySQL database flaw that leads to the database consuming extra cupboard space than anticipated when brute-force safety options of the firewall are enabled.
With F5 units typically changing intofor lively exploitation makes an attempt by risk actors, it is extremely really useful that customers and directors set up up to date software program or apply the mandatory mitigations as quickly as attainable.