Issued: Monday, 21 November, 2022 |
Last Revision: Monday, 21 November, 2022 |
Vendor: |
Product: |
Severity Level: |
Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices. Below are the addressed vulnerabilities:
CVE-2022-41622: A Cross-Site request forgery (CSRF) vulnerability through iControl SOAP, leading to unauthenticated remote code execution. Successful exploitation allow attacker to gain persistent root access to the device management interface. As per F5, if exploited, the vulnerability can compromise the complete system.
CVE-2022-41800: A iControl REST vulnerability that cloud allow an authenticated user with an Administrator role to bypass Appliance mode restriction. In addition, there are other security issues identified, including a local privileges escalation via bad Unix socket permission and by SELinux bypass method.
CVE/Vulnerability | Affected Version | CVSS Score | Exploitable |
CVE-2022-41800 | • BIG-IP version from 13.x to 17.x | 8.8 | NO |
CVE-2022-41622 |
Affected organizations are encouraged to contact the vendor and take necessary action as per their advice to mitigate the reported vulnerability.