F5 fixes 25 flaws in BIG-IP, BIG-IQ, and NGINX products

Cybersecurity provider F5 released security patches to address 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products.

Cybersecurity firm F5 announced security patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products. Most of the vulnerabilities (23) addressed by the company affect the BIG-IP application delivery controller (ADC), 13 of them have been rated as high-severity issues (CVSS score 7.5).

The issues received CVEs between CVE-2022-23010 to CVE-2022-23032.

The vulnerabilities can cause the termination of the Traffic Management Microkernel (TMM), can lead to an increase in memory resource utilization, freezing virtual servers, or executing JavaScript code.

F5 addressed the flaws with the release of versions 14.x, 15.x, and 16.x.

The security provider also addressed two high-severity vulnerabilities in BIG-IQ centralized management and NGINX controller API management tracked as CVE-2022-23009 and CVE-2022-23008 respectively.

Regarding the CVE-2022-23008 flaw, an authenticated attacker with access to the ‘user’ or ‘admin’ role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.

All the medium-severity vulnerabilities affect BIG-IP, but the CVE-2022-23023 issue also impacts BIG-IQ as well.

The company has also addressed a low-severity vulnerability, tracked as CVE-2022-23032, that can lead to a DNS rebinding attack.

The United States Cybersecurity and Infrastructure Security Agency (CISA) published a security advisory to encourage administrators to review the F5 security advisory.

“F5 has released its January 2022 Quarterly Security Notification addressing vulnerabilities affecting multiple versions of BIG-IP, BIG-IQ, and NGINX Controller API Management. A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system.” reads the advisory published by CISA.

“CISA encourages users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.