F5 Releases Security Updates for Multiple Products

Security updates address six vulnerabilities rated as High impact and four rated as Medium impact

Threat ID:: CC-4315
Threat Severity:: Information only
Published:: 3 May 2023 5:15 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security updates address six vulnerabilities rated as High impact and four rated as Medium impact

Affected platforms

The following platforms are known to be affected:

F5 BIG-IP (All Modules)

F5 BIG-IQ

The following platforms are also known to be affected:

NGINX Instance Manager
NGINX API Connectivity Manager
NGINX Security Monitoring

Threat details

Introduction

F5 has released an overview of vulnerabilities for some of their networking products, including BIG-IP and BIG-IQ Centralized Management. The security advisory addresses six vulnerabilities rated as High impact and four rated as Medium impact. An attacker could exploit these vulnerabilities to escalate privileges, execute remote commands, impersonate a BIG-IP APM system, carry out cross-site scripting (XSS), create a denial-of-service (DoS) condition, or gain access to configuration objects outside of their assigned environment.

Remediation advice

Affected organisations are encouraged to review K000133251: Overview of F5 vulnerabilities (May 2023) and apply any relevant updates or mitigations.

Definitive source of threat updates

https://my.f5.com/manage/s/article/K000133251

CVE Vulnerabilities

Status Published

CVE-2023-28656

NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Status Published

CVE-2023-29163

When UDP profile with idle timeout set to immediate or the value 0 is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Status Published

CVE-2023-27378

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Status Published

CVE-2023-24461

An improper certificate validation vulnerability exists in the BIG-IP Edge Client for Windows and macOS and may allow an attacker to impersonate a BIG-IP APM system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Status Published

CVE-2023-28742

When DNS is provisioned, an authenticated remote command execution vulnerability exists in DNS iQuery mesh. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Status Published

CVE-2023-28724

NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Last edited: 3 May 2023 5:15 pm