Security Advisory Description
On March 10th, 2021, F5 announced four critical CVEs, along with three related CVEs (two high and one medium). This document is intended to serve as an overview of these vulnerabilities to help you determine the impact on your F5 devices. The details of each issue can be found in the associated security advisory.
The seven (7) related vulnerabilities are as follows:
- K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
The iControl REST interface has an unauthenticated remote command execution vulnerability.
CVSS score: 9.8 (Critical)
- K18132488: Appliance Mode TMUI authenticated remote command execution vulnerability CVE-2021-22987
When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 9.9 (Critical)
- K70031188: TMUI authenticated remote command execution vulnerability CVE-2021-22988
TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 8.8 (High)
- K56142644: Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989
When running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 8.0 (High)
- K45056101: Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990
On systems with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 6.6 (Medium)
- K56715231: TMM buffer-overflow vulnerability CVE-2021-22991
Undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE).
CVSS score: 9.0 (Critical)
- K52510511: Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.
CVSS score: 9.0 (Critical)
Because of the severity of these vulnerabilities, F5 recommends that all customers install fixed software as soon as possible. All seven vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. CVE-2021-22986 also affects BIG-IQ, and this is fixed in 8.0.0, 7.1.0.3, and 7.0.0.2.
The following table provides key information for each vulnerability to assist in determining which are pertinent to your network.
| CVE | Severity | CVSS score | Affected products | Affected versions | Fixed versions | Appliance mode / Non-Appliance mode | Control plane / Data plane |
| CVE-2021-22986 | Critical | 9.8 | BIG-IP (All modules) | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 |
16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 |
Both | Control plane – iControl REST |
| BIG-IQ | 7.1.0-7.1.0.2 7.0.0-7.0.0.1 6.0.0-6.1.0 |
8.0.0 7.1.0.3 7.0.0.2 |
N/A | Control plane – iControl REST | |||
| CVE-2021-22987 | Critical | 9.9 | BIG-IP (All modules) | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2 |
16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3 |
Appliance mode | Control plane - TMUI |
| CVE-2021-22988 | High | 8.8 | BIG-IP (All Modules) | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2 |
16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3 |
Non-Appliance Mode | Control plane - TMUI |
| CVE-2021-22989 | High | 8.0 | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2 |
16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3 |
Appliance mode | Control plane - TMUI |
| CVE-2021-22990 | Medium | 6.6 | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2 |
16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3 |
Non-Appliance mode | Control plane - TMUI |
| CVE-2021-22991 | Critical | 9.0 | BIG-IP (All Modules)1 | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 |
16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 |
Both | Data plane |
| CVE-2021-22992 | Critical | 9.0 | BIG-IP Advanced WAF/ASM | 16.0.0-16.0.1 15.1.0-15.1.2 14.1.0-14.1.3.1 13.1.0-13.1.3.5 12.1.0-12.1.5.2 11.6.1-11.6.5.2 |
16.0.1.1 15.1.2.1 14.1.4 13.1.3.6 12.1.5.3 11.6.5.3 |
Both | Data plane |
1Specific functionality is affected. Refer to: K56715231: TMM Buffer Overflow vulnerability CVE-2021-22991.
2For information on Appliance mode, refer to: K12815: Overview of Appliance mode.
3The data plane relates to traffic processing (TMM tasks) while the control plane relates to computing, storing, and processing information (non-TMM tasks).
For any of the previously listed vulnerabilities which affect your network, review the appropriate security advisory for the full details of the issue.
You may also want to review the frequently asked questions articles:
'취약점 정보1' 카테고리의 다른 글
| iOS 14.4.2 and iPadOS 14.4.2 (0) | 2021.03.28 |
|---|---|
| F5 BIG-IP 제품 보안 업데이트 권고 (0) | 2021.03.11 |
| Adobe 제품 보안 업데이트 권고 (0) | 2021.03.10 |
| MS Exchange Server 취약점 임시 조치 방안 권고 (0) | 2021.03.09 |
| MS Exchange 서버 취약점 보안 업데이트 권고 (0) | 2021.03.04 |