Cloud security and software delivery network (ADN) service provider F5 on Wednesday introduced patches to incorporate 43 bugs spanning its products.
Of the 43 issues resolved, a person is rated Critical, 17 are rated Substantial, 24 are rated Medium, and one is rated reduced in severity.
Chief among the the flaws is CVE-2022-1388, which carries a CVSS score of 9.8 out of a highest of 10 and stems from a lack of authentication verify, possibly permitting an attacker to consider manage of an influenced technique.
“This vulnerability might enable an unauthenticated attacker with network accessibility to the Significant-IP procedure via the administration port and/or self IP addresses to execute arbitrary technique commands, build or delete files, or disable expert services,” F5 reported in an advisory. “There is no information airplane publicity this is a management aircraft issue only.”
The security vulnerability, which the corporation stated was found out internally, impacts Massive-IP goods with the subsequent versions –
- 16.1. – 16.1.2
- 15.1. – 15.1.5
- 14.1. – 14.1.4
- 13.1. – 13.1.4
- 12.1. – 12.1.6
- 11.6.1 – 11.6.5
Patches for the iControl Relaxation authentication bypass flaw have been introduced in variations 17.., 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5. Other F5 products and solutions this sort of as Large-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are not susceptible to CVE-2022-1388.
F5 has also available non permanent workarounds until finally the fixes can be used –
- Block iControl Relaxation obtain by way of the self IP deal with
- Block iControl Relaxation entry by way of the management interface
- Modify the Major-IP httpd configuration
Other noteworthy bugs resolved as element of the update include all those that could permit an authenticated attacker to bypass Appliance manner limits and execute arbitrary JavaScript code in the context of the now logged-in consumer.
With F5 appliances greatly deployed in business networks, it is crucial that corporations shift immediately to use the patches to avoid menace actors from exploiting the attack vector for original accessibility.
The security fixes appear as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 5 new flaws to its Regarded Exploited Vulnerabilities Catalog primarily based on proof of energetic exploitation –
- CVE-2021-1789 – Apple Various Products and solutions Style Confusion Vulnerability
- CVE-2019-8506 – Apple A number of Solutions Style Confusion Vulnerability
- CVE-2014-4113 – Microsoft Earn32k Privilege Escalation Vulnerability
- CVE-2014-0322 – Microsoft Internet Explorer Use-Just after-Free Vulnerability
- CVE-2014-0160 – OpenSSL Info Disclosure Vulnerability
Located this short article appealing? Follow THN on Fb, Twitter and LinkedIn to go through a lot more exclusive articles we write-up.
Some parts of this article are sourced from:
thehackernews.com