CVE-2023-22326 – iControl REST and tmsh vulnerability
https://notcve.org/view.php?id=CVE-2023-22326
In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vulnerabilities exist in the iControl REST and TMOS shell (tmsh) dig command which may allow an authenticated attacker with resource administrator or administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K83284425 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2023-22323 – BIG-IP SSL OCSP Authentication profile vulnerability
https://notcve.org/view.php?id=CVE-2023-22323
In BIP-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when OCSP authentication profile is configured on a virtual server, undisclosed requests can cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K56412001 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-22281 – BIG-IP AFM vulnerability
https://notcve.org/view.php?id=CVE-2023-22281
On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a BIG-IP AFM NAT policy with a destination NAT rule is configured on a FastL4 virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K46048342 • CWE-908: Use of Uninitialized Resource •
CVE-2022-41800 – Appliance mode iControl REST vulnerability
https://notcve.org/view.php?id=CVE-2022-41800
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En todas las versiones de BIG-IP, cuando se ejecuta en modo Dispositivo, un usuario autenticado al que se le haya asignado la función de Administrador puede evitar las restricciones del modo Dispositivo, utilizando un endpoint REST de iControl no revelado. Una explotación exitosa puede permitir al atacante cruzar un límite de seguridad. • https://support.f5.com/csp/article/K13325942 https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures https://support.f5.com/csp/article/K97843387 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2022-41622 – iControl SOAP vulnerability
https://notcve.org/view.php?id=CVE-2022-41622
In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En todas las versiones, BIG-IP y BIG-IQ son vulnerables a ataques de Cross-Site Request Forgery (CSRF) a través de iControl SOAP. Nota: Las versiones de software que han llegado al final del soporte técnico (EoTS) no se evalúan. • https://support.f5.com/csp/article/K94221585 https://github.com/rbowes-r7/refreshing-soap-exploit https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures https://support.f5.com/csp/article/K97843387 https://support.f5.com/csp/article/K05403841 • CWE-352: Cross-Site Request Forgery (CSRF) •