Service Notices

All Notices > Security Notices > Important Vulnerabilities in F5 BIG-IP and BIG-IQ

Important Vulnerabilities in F5 BIG-IP and BIG-IQ

Mar 16, 2021 GMT+08:00

I. Overview

F5 has recently disclosed multiple important BIG-IP/BIG-IQ vulnerabilities. Attackers can exploit these vulnerabilities to remotely execute code.

CVE-2021-22986, CVSS 9.8: BIG-IP/BIG-IQ iControl REST: unauthenticated remote command execution vulnerability

CVE-2021-22987, CVSS 9.9: BIG-IP appliance Mode TMUI authenticated remote command execution vulnerability

CVE-2021-22988, CVSS 8.8: BIG-IP TMUI authenticated remote command execution vulnerability

CVE-2021-22989, CVSS 8.0: BIG-IP appliance mode advanced WAF/ASM TMUI authenticated remote command execution vulnerability

CVE-2021-22990, CVSS 6.6: BIG-IP advanced WAF/ASM TMUI authenticated remote command execution vulnerability

CVE-2021-22991, CVSS 9.0: BIG-IP TMM buffer-overflow vulnerability

CVE-2021-22992, CVSS 9.0: BIG-IP advanced WAF/ASM buffer-overflow vulnerability

If you are an F5 BIG-IP or BIG-IQ user, check your versions and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://support.f5.com/csp/article/K02566623 

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Vulnerability

Affected Version

Secure Version

CVE-2021-22986

F5 BIG-IP 16.0.0–16.0.1

F5 BIG-IP 15.1.0–15.1.2

F5 BIG-IP 14.1.0–14.1.3.1

F5 BIG-IP 13.1.0–13.1.3.5

F5 BIG-IP 12.1.0–12.1.5.2

F5 BIG-IQ 7.1.0–7.1.0.2

F5 BIG-IQ 7.0.0–7.0.0.1

F5 BIG-IQ 6.0.0–6.1.0

F5 BIG-IP 16.0.1.1

F5 BIG-IP 15.1.2.1

F5 BIG-IP 14.1.4

F5 BIG-IP 13.1.3.6

F5 BIG-IP 12.1.5.3

F5 BIG-IQ 8.0.0

F5 BIG-IQ 7.1.0.3

F5 BIG-IQ 7.0.0.2

CVE-2021-22987

CVE-2021-22988

CVE-2021-22989

CVE-2021-22990

CVE-2021-22992

F5 BIG-IP 16.0.0–16.0.1

F5 BIG-IP 15.1.0–15.1.2

F5 BIG-IP 14.1.0–14.1.3.1

F5 BIG-IP 13.1.0–13.1.3.5

F5 BIG-IP 12.1.0–12.1.5.2

F5 BIG-IP 11.6.1–11.6.5.2

F5 BIG-IP 16.0.1.1

F5 BIG-IP 15.1.2.1

F5 BIG-IP 14.1.4

F5 BIG-IP 13.1.3.6

F5 BIG-IP 12.1.5.3

F5 BIG-IP 11.6.5.3

CVE-2021-22991

F5 BIG-IP 16.0.0–16.0.1

F5 BIG-IP 15.1.0–15.1.2

F5 BIG-IP 14.1.0–14.1.3.1

F5 BIG-IP 13.1.0–13.1.3.5

F5 BIG-IP 12.1.0–12.1.5.2

F5 BIG-IP 16.0.1.1

F5 BIG-IP 15.1.2.1

F5 BIG-IP 14.1.4

F5 BIG-IP 13.1.3.6

F5 BIG-IP 12.1.5.3

IV. Vulnerability Handling

Secure versions have been officially released. Upgrade to secure versions.

If you are unable to upgrade, refer to the workarounds provided in the following links to temporarily avoid risks:

CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989, CVE-2021-22990, CVE-2021-22991, CVE-2021-22992

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.