Of the 29 bugs resolved, 13 are high-severity flaws, 15 are rated medium, and a single is rated reduced in severity.
Chief between them is CVE-2021-23031 (CVSS score: 8.8), a vulnerability influencing Major-IP Sophisticated World wide web Software Firewall and Big-IP Application Safety Manager that makes it possible for an authenticated user to accomplish a privilege escalation.
“When this vulnerability is exploited, an authenticated attacker with entry to the Configuration utility can execute arbitrary program commands, produce or delete documents, and/or disable services. This vulnerability may consequence in full technique compromise,” F5 claimed in its advisory.
It can be worth noting that for shoppers operating the unit in Equipment Manner, which applies more technological constraints in delicate sectors, the identical vulnerability arrives with a critical ranking of 9.9 out of 10. “As this assault is conducted by genuine, authenticated users, there is no viable mitigation that also will allow end users access to the Configuration utility. The only mitigation is to eliminate access for users who are not entirely dependable,” the firm said.
The other main vulnerabilities settled by F5 are listed beneath –
- CVE-2021-23025 (CVSS score: 7.2) – Authenticated distant command execution vulnerability in Big-IP Configuration utility
- CVE-2021-23026 (CVSS score: 7.5) – Cross-web site ask for forgery (CSRF) vulnerability in iControl Cleaning soap
- CVE-2021-23027 and CVE-2021-23037 (CVSS score: 7.5) – TMUI DOM-primarily based and reflected cross-web site scripting (XSS) vulnerabilities
- CVE-2021-23028 (CVSS score: 7.5) – Huge-IP Innovative WAF and ASM vulnerability
- CVE-2021-23029 (CVSS rating: 7.5) – Massive-IP State-of-the-art WAF and ASM TMUI vulnerability
- CVE-2021-23030 and CVE-2021-23033 (CVSS rating: 7.5) – Big-IP State-of-the-art WAF and ASM Websocket vulnerabilities
- CVE-2021-23032 (CVSS rating: 7.5) – Big-IP DNS vulnerability
- CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS rating: 7.5) – Site visitors Administration Microkernel vulnerabilities
Moreover, F5 has also patched a amount of flaws that assortment from listing traversal vulnerability and SQL injection to open up redirect vulnerability and cross-internet site request forgery, as well as a MySQL databases flaw that benefits in the databases consuming far more storage room than envisioned when brute-drive security functions of the firewall are enabled.
With F5 devices usually becoming juicy targets for lively exploitation attempts by danger actors, it really is highly advisable that consumers and administrators set up up-to-date software or apply the necessary mitigations as quickly as probable.