F5 Networks has released security updates to address four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.
These vulnerabilities are:
CVE-2021-22986 — Allows unauthenticated attackers with network access to the iControl REST interface, via BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.
CVE-2021-22987 — Allows authenticated users with network access to the Configuration utility, through the BIG-IP management port or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services.
CVE-2021-22991 — When undisclosed requests to a virtual server are handled incorrectly by the Traffic Management Microkernel (TMM), URI normalisation may trigger a buffer overflow, resulting in a Denial of Service (DoS) attack. Successful exploitation of this vulnerability could allow attackers to bypass URL-based access control or perform RCE.
CVE-2021-22992 — A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. Successful exploitation of this vulnerability could allow attackers to perform RCE, leading to complete system compromise.
The following product versions are affected:
• 16.0.0 - 16.0.1
• 15.1.0 - 15.1.2
• 14.1.0 - 14.1.3
• 13.1.0 - 13.1.3
• 12.1.0 - 12.1.5
BIG-IQ Centralized Management:
• 7.0.0 - 7.1.0
• 6.0.0 - 6.1.0
Administrators of the affected versions are advised to upgrade to the latest product versions immediately.