Cybersecurity company F5 released a advisory warning of seven vulnerabilities in its product suite, four of which are classified as critical.
The bugs affect all F5 BIG-IP and BIG-IQ deployments and can be abused to perform remote code execution (RCE), denial of service (DoS) and device takeover attacks .
The bugs are so severe that the US Cyberspace and Infrastructure Agency (CISA) has also issued an advisory, calling on companies to “review the F5 advisory and install the updated software as soon as possible. “.
According to the F5 advisory, patches are now available for the seven vulnerabilities.
F5 security vulnerabilities
The most severe of the F5 vulnerabilities, CVE-2021-22987, has been assigned a severity rating of 9.9 / 10 according to the Common Vulnerability Scoring Standard (CVSS). The bug allows users with network access to the configuration utility (also known as the traffic management user interface) “to execute arbitrary system commands, create or delete files, or disable services.”
CVE-22021-22986, on the other hand, relates to the iControl REST interface and creates opportunities for the same types of attacks, earning it a severity rating of 9.8.
However, both flaws require access to gain access to the control plane, which would force the attacker to own or steal login information.
The last two critical bugs, CVE-2021-22991 and CVE-2021-22992, are buffer overflow vulnerabilities that open the door to DoS attacks and, in some situations, to remote code execution.
Beyond these four critical vulnerabilities, the company also released details of one medium severity defect and two high severity defects, along with an apology to affected customers.
“These vulnerabilities were discovered as a result of regular and ongoing internal security testing of our solutions,” F5 said in a statement. blog post. “Because we understand how critical BIG-IP and BIG-IQ are to our customers, as soon as these vulnerabilities were discovered, we immediately started working on fixes and released title advisories as soon as possible.”
“The trust you place in F5 to manage the security and delivery of your most important assets – your applications – is not something we take lightly. We understand that remedying vulnerabilities can disrupt your business. “