Issued: Sunday, 15 May, 2022 |
Last Revision: Sunday, 15 May, 2022 |
Vendor: |
Product: |
Severity Level: |
In the month of May 22, the F5 resolved a total of 43 vulnerabilities, the most serious of which is a critical vulnerability identified as CVE-2022-1388 (CVSS score of 9.8). Unauthenticated attackers with network access to the F5 BIG-IP system via the management port and/or self IP addresses can use the CVE-20221388 flaw to run arbitrary system commands, create or delete files, and disable services. In other words, the attacker can take complete control over the affected device. This weakness is being actively exploited.
This is crucial because F5 is extensively used, and an attacker who successfully exploits CVE-2022-1388 can wipe device and make it unusable.
CVE/Vulnerability | Description | CVSS3.0 Score |
CVE-2022-1388 | Remote Code Execution Vulnerability | 9.8 |
Table 1: Vulnerability details
CVE/Vulnerability | Affected Product and Versions | Fixed Version |
CVE-2022-1388 | 16.1.0 – 16.1.2 15.1.0 – 15.1.5 14.1.0 – 14.1.4 13.1.0 – 13.1.4 12.1.0 – 12.1.6 11.6.1 – 11.6.5 | 16.1.2.2 15.1.5.1 14.1.4.6 13.1.5 No Fix No Fix |
Table 2: Vulnerable versions
It’s recommended to disconnect the management interface from the internet and patch your BIG-IP to the Fix version. As a best practice make assured that the management plane isn't accessible via the Internet.
If device running in your environment, presently have no update for that model/version, F5 suggests updating to a version that includes the patch (refer to the Affected Product Table).