Skip to main content

Yet another security vendor finds critical bugs in its products

Cyber security control room
(Image credit: Getty Images)

Cybersecurity company F5 has published an advisory warning of seven vulnerabilities in its product suite, four of which are classified as critical.

The bugs affect all F5 BIG-IP and BIG-IQ deployments and can be abused to perform remote code execution (RCE), denial-of-service (DoS) and device takeover attacks.

So severe are the bugs that the US Cyberspace and Infrastructure Agency (CISA) has also published a notice, in which it calls for businesses to “review the F5 advisory and install updated software as soon as possible.”

According to the F5 advisory, fixes are now available for all seven vulnerabilities.

F5 security vulnerabilities

The most severe of the F5 vulnerabilities, CVE-2021-22987, was handed a severity rating of 9.9/10 as per the Common Vulnerability Scoring Standard (CVSS). The bug allows users with network access to the Configuration utility (also called the Traffic Management User Interface) to “execute arbitrary system commands, create or delete files, or disable services.”

CVE-22021-22986, meanwhile, relates to the iControl REST interface and creates opportunity for the same kinds of attack, earning it a severity rating of 9.8.

Both flaws require access to access to the control plane, however, so would require the attacker to either own or steal login credentials.

The final two critical bugs, CVE-2021-22991 and CVE-2021-22992, are buffer-overflow vulnerabilities that open the door to DoS attacks and, in certain situations, to remote code execution.

Beyond these four critical vulnerabilities, the company also published details on one medium-severity and two high-severity flaws, along with an apology to affected customers.

“These vulnerabilities were discovered as a result of regular and continuous internal security testing of our solutions,” said F5 in a blog post. “Because we understand how critical BIG-IP and BIG-IQ are to our customers, as soon as these vulnerabilities were discovered we immediately began work on fixes and published the securities advisories as soon as we could.”

“The trust you place in F5 to handle the security and delivery of your most important assets - your applications - is not something we take lightly. We understand vulnerability remediation can be disruptive to your business.”