F5 fixes 12 High severity vulnerabilities in BIG-IP and BIG-IQ products

F5 has released fixes for 12 High severity vulnerabilities that affect BIG-IP and BIG-IQ products.

An attacker could exploit these vulnerabilities and potentially take over impacted systems.

As revealed in a recent security advisory, F5 patched 12 High severity vulnerabilities (along with CVSS score):

  1. CVE-2022-35243: Authenticated iControl REST in Appliance mode vulnerability (CVSS 8.7)
  2. CVE-2022-35728: iControl REST vulnerability (CVSS 8.1)
  3. CVE-2022-34655: TMM vulnerability (CVSS 7.5)
  4. CVE-2022-35245: BIG-IP APM access policy vulnerability (CVSS 7.5)
  5. CVE-2022-35240: BIG-IP Message Routing MQTT vulnerability (CVSS 7.5)
  6. CVE-2022-35236: HTTP2 profile vulnerability (CVSS 7.5)
  7. CVE-2022-34651: BIG-IP TLS1.3 iRule vulnerability (CVSS 7.5)
  8. CVE-2022-32455: TMM vulnerability (CVSS 7.5)
  9. CVE-2022-34862: TMM vulnerability (CVSS 7.5)
  10. CVE-2022-33203: BIG-IP APM and SSL Orchestrator vulnerability (CVSS 7.5)
  11. CVE-2022-35272: BIG-IP HTTP MRF vulnerability (CVSS 7.5)
  12. CVE-2022-35735: BIG-IP monitor configuration vulnerability (CVSS 7.5).

The most severe of the issues CVE-2022-35243 could allow an authenticated user assigned the Administrator role to bypass Appliance mode restrictions, using an undisclosed iControl REST endpoint. The vulnerability affects all modules in BIG-IP when running in Appliance mode.

Moreover, F5 also addressed one Low and eight Medium severity vulnerabilities.

Related Articles