May 8, 2022
F5 Patches Critical BIG-IP Device Takeover Vulnerability
F5 has patched a critical vulnerability affecting BIG-IP devices that may lead to device takeover.
- CVE-2022-1388 (CVSS 3.1: 9.8, Critical) – Undisclosed requests may bypass iControl REST authentication. This may result in remote code execution and modification of files and services.
- BIG-IP (all modules) versions:
- Prior to 17.0.0.
- Prior to 220.127.116.11.
- Prior to 18.104.22.168.
- Prior to 22.214.171.124.
- Prior to 13.1.5.
- 12.1.0 – 12.1.6 (no fix available).
- 11.6.1 – 11.6.5 (no fix available).
CYREBRO recommends updating relevant products, in accordance with the official F5 advisory.
If mitigation is currently not an option, apply the temporary workarounds mentioned in the official F5 advisory, under the ‘Mitigation’ section.
References: F5 Advisory.