Critical Vulnerability in BIG-IP iControl REST

Published on 05 May 2022

Updated on 05 May 2022

F5 has released security updates for the BIG-IP Application Delivery Controller, addressing multiple vulnerabilities including a critical vulnerability (CVE-2022-1388). The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10 and affects the iControl REST component.

Successful exploitation of the vulnerability could allow an unauthenticated attacker with network access on an affected BIG-IP system to execute arbitrary system commands, create or delete files, or disable services.

The following BIG-IP product versions are affected:

  • 16.1.0 - 16.1.2
  • 15.1.0 - 15.1.5
  • 14.1.0 - 14.1.4
  • 13.1.0 - 13.1.4
  • 12.1.0 - 12.1.6
  • 11.6.1 - 11.6.5

 

Administrators of the affected versions are advised to upgrade to the latest product versions immediately.

 

More information is available here:

https://support.f5.com/csp/article/K23605346
https://support.f5.com/csp/article/K55879220