- Home
- Alerts & Advisories
- Alerts
- Multiple Vulnerabilities Affecting F5 Networking Products
Alerts
Multiple Vulnerabilities Affecting F5 Networking Products
3 February 2023
F5 has released a security advisory addressing multiple vulnerabilities – many of which are rated high-impact – affecting their networking products.
The vulnerabilities are:
• CVE-2023-22374: An authenticated attacker can crash the iControl SOAP CGI process, potentially executing arbitrary code.
• CVE-2023-22358: An attacker can use malicious Dynamic Link Libraries (DLL) to gain privilege escalation on the client's Windows system.
• CVE-2023-22842, CVE-2023-22281, CVE-2023-22341, CVE-2023-22340, CVE-2023-22839, CVE-2023-23555, and CVE-2023-22422: A remote unauthenticated attacker can cause a denial-of-service (DoS) on the BIG-IP system.
• CVE-2023-22323, CVE-2023-22664, and CVE-2023-23552: A remote unauthenticated attacker can cause a degradation of service which can lead to a DoS on the BIG-IP system.
• CVE-2023-22657: An attacker can use a specially crafted file name that injects commands to trick an administrator to upload a file.
The following products are affected by the aforementioned vulnerabilities:
• BIG-IP versions 17.0.0
• BIG-IP versions 16.1.2.2 - 16.1.3
• BIG-IP versions 15.1.5.1 - 15.1.8
• BIG-IP versions 14.1.4.6 - 14.1.5
• BIG-IP versions 13.1.0 - 13.1.5
• BIG-IP APM Clients 7.2.2 - 7.2.3
• BIG-IP SPK version 1.6.0
• BIG-IP SPK version 1.5.0
• F5OS-A version 1.2.0
• F5OS-A version 1.1.0 - 1.1.1
• F5OS-A version 1.0.0 - 1.0.1
• F5OS-C version 1.3.0 - 1.3.2
Users and administrators of affected product versions are advised to upgrade to the latest versions and download the engineering hotfix for the latest supported versions of BIG-IP immediately.
Users and administrators are encouraged to refer to F5's website regularly for updates and recommended actions.
More information is available here: