CVE-2021-22986

Warning

Exploit

EPSS 94.47%
Published 31.03.2021 15:15:15
Last modified 02.04.2025 19:09:11
Source f5sirt@f5.com
Teams watchlist Login
Open Login

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

Affected products Warnungen 1 Metrics 4 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

F5 ≫ Big-ip Access Policy Manager Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Access Policy Manager Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Access Policy Manager Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Access Policy Manager Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Access Policy Manager Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Advanced Firewall Manager Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Advanced Firewall Manager Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Advanced Firewall Manager Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Advanced Firewall Manager Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Advanced Firewall Manager Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Advanced Web Application Firewall Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Advanced Web Application Firewall Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Advanced Web Application Firewall Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Advanced Web Application Firewall Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Advanced Web Application Firewall Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Analytics Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Analytics Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Analytics Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Analytics Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Analytics Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Application Acceleration Manager Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Application Acceleration Manager Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Application Acceleration Manager Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Application Acceleration Manager Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Application Acceleration Manager Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Application Security Manager Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Application Security Manager Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Application Security Manager Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Application Security Manager Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Application Security Manager Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Ddos Hybrid Defender Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Ddos Hybrid Defender Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Ddos Hybrid Defender Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Ddos Hybrid Defender Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Ddos Hybrid Defender Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Domain Name System Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Domain Name System Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Domain Name System Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Domain Name System Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Domain Name System Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Fraud Protection Service Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Fraud Protection Service Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Fraud Protection Service Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Fraud Protection Service Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Fraud Protection Service Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Global Traffic Manager Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Global Traffic Manager Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Global Traffic Manager Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Global Traffic Manager Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Global Traffic Manager Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Link Controller Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Link Controller Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Link Controller Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Link Controller Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Link Controller Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Local Traffic Manager Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Local Traffic Manager Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Local Traffic Manager Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Local Traffic Manager Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Local Traffic Manager Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-ip Policy Enforcement Manager Version >= 12.1.0 < 12.1.5.3

F5 ≫ Big-ip Policy Enforcement Manager Version >= 13.1.0 < 13.1.3.6

F5 ≫ Big-ip Policy Enforcement Manager Version >= 14.1.0 < 14.1.4

F5 ≫ Big-ip Policy Enforcement Manager Version >= 15.1.0 < 15.1.2.1

F5 ≫ Big-ip Policy Enforcement Manager Version >= 16.0.0 < 16.0.1.1

F5 ≫ Big-iq Centralized Management Version >= 6.0.0 < 6.1.0

F5 ≫ Big-iq Centralized Management Version >= 7.0.0 < 7.0.0.2

F5 ≫ Big-iq Centralized Management Version >= 7.1.0 < 7.1.0.3

F5 ≫ Ssl Orchestrator Version >= 12.1.0 < 12.1.5.3

F5 ≫ Ssl Orchestrator Version >= 13.1.0 < 13.1.3.6

F5 ≫ Ssl Orchestrator Version >= 14.1.0 < 14.1.4

F5 ≫ Ssl Orchestrator Version >= 15.1.0 < 15.1.2.1

F5 ≫ Ssl Orchestrator Version >= 16.0.0 < 16.0.1.1

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability

Vulnerability

F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with network access to execute system commands, create or delete files, and disable services.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.47%	1

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://support.f5.com/csp/article/K03009991

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-22986

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-22986

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-22986

EUVD