CVE-2022-1388

Warning

Exploit

EPSS 94.46%
Published 05.05.2022 17:15:10
Last modified 02.04.2025 18:17:58
Source f5sirt@f5.com
Teams watchlist Login
Open Login

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Affected products Warnungen 1 Metrics 4 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

F5 ≫ Big-ip Access Policy Manager Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Access Policy Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Access Policy Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Access Policy Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Access Policy Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Access Policy Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Advanced Firewall Manager Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Advanced Firewall Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Advanced Firewall Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Advanced Firewall Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Advanced Firewall Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Advanced Firewall Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Analytics Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Analytics Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Analytics Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Analytics Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Analytics Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Analytics Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Application Acceleration Manager Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Application Acceleration Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Application Acceleration Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Application Acceleration Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Application Acceleration Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Application Acceleration Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Application Security Manager Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Application Security Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Application Security Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Application Security Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Application Security Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Application Security Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Domain Name System Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Domain Name System Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Domain Name System Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Domain Name System Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Domain Name System Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Domain Name System Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Fraud Protection Service Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Fraud Protection Service Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Fraud Protection Service Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Fraud Protection Service Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Fraud Protection Service Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Fraud Protection Service Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Global Traffic Manager Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Global Traffic Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Global Traffic Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Global Traffic Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Global Traffic Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Global Traffic Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Link Controller Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Link Controller Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Link Controller Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Link Controller Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Link Controller Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Link Controller Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Local Traffic Manager Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Local Traffic Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Local Traffic Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Local Traffic Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Local Traffic Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Local Traffic Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Policy Enforcement Manager Version >= 11.6.1 <= 11.6.5

F5 ≫ Big-ip Policy Enforcement Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Policy Enforcement Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Policy Enforcement Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Policy Enforcement Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Policy Enforcement Manager Version >= 16.1.0 < 16.1.2.2

10.05.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

F5 BIG-IP Missing Authentication Vulnerability

Vulnerability

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.46%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
f5sirt@f5.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

http://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry