CVE-2022-1468 iControl REST users with guest privileges can delay iControl REST requests on all versions of 17.0.x, 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x F5 BIG-IP.

in the vulnerability note above, but are listed as versions which are no longer supported. While versions 15.0.0 through 15.0.3 are not at risk for this vulnerability, we strongly recommend that you upgrade to version 15.0.4 or later, as soon as possible. In addition, we recommend that you consider upgrading to version 16.0.0 or later, as soon as possible. What’s the risk on which version of iControl REST? What's the maximum possible risk? This vulnerability is only applicable to REST endpoints. The version of iControl REST with the highest possible risk is 16.0.0. For most users, upgrading to version 16.0.0 or later is recommended. The latest version, 16.0.0, has a patch level of Patch 16. For other versions, the highest risk version is 16.0.0. The highest possible risk is Medium. An attacker must have a user level of admin, or be a guest user, in order to exploit this vulnerability. What are the steps to take in order to mitigate the risk? For all iControl REST endpoints, it’s important to apply the latest patch level, as soon as possible. The latest version, 16.0.0, has a patch level of Patch 16. For end users who are not planning to upgrade to version 16.0.0 or later, we recommend that you apply the latest patch level, as soon as

Version 16.0.0 and later

This vulnerability is applicable only to REST endpoints.
The highest risk version is 16.0.0, but only if you are running the latest version of iControl REST, 16.0.0 or later.
The highest possible risk level is Medium, and an attacker must have a user level of admin or be a guest user in order to exploit this vulnerability.
For all iControl REST endpoints, we recommend that you apply the latest patch level as soon as possible.

iControl REST 16.0.0

Patch Level
Patch 16 resolves the vulnerabilities described in CVE-2022-1468 and CVE-2022-1469.

14.0.0 iControl REST Vulnerability - version 14.0.0 in the vulnerability note above, but are listed as versions which are no longer supported. While versions 15.0.0 through 15.0.3 are not at risk for this vulnerability, we strongly recommend that you upgrade to version 15.0.4 or later, as soon as possible. In addition, we recommend that you consider upgrading to version 16.0.0 or later, as soon as possible

Timeline

Published on: 05/05/2022 17:15:00 UTC
Last modified on: 05/16/2022 12:35:00 UTC

References

• https://support.f5.com/csp/article/K15101402
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1468