F5 has issued a security advisory warning about a vulnerability that may allow unauthenticated attackers with network access to compromise their BIG-IP products. The vulnerability is tracked as CVE-2022-1388 and has a CVSS severity rating of 9.8, denoting that it is a critical vulnerability.
The vulnerability lies in the iControl REST component within BIG-IP and allows a malicious user to send undisclosed requests to bypass authentication. The list of affected products is below:
- BIG-IP versions 16.1.0 to 16.1.2
- BIG-IP versions 15.1.0 to 15.1.5
- BIG-IP versions 14.1.0 to 14.1.4
- BIG-IP versions 13.1.0 to 13.1.4
- BIG-IP versions 12.1.0 to 12.1.6
- BIG-IP versions 11.6.1 to 11.6.5
F5 has introduced fixes in v17.0.0, v22.214.171.124, v126.96.36.199, v188.8.131.52, and v13.1.5. F5 has stated that they will not provide a patch for the 11.x and 12.x branches of the products. The BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC line of products are unaffected by this vulnerability.