CVE-2022-23027 BIG-IP versions 15.1.x, 14.1.x, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2 have undisclosed re-read issues when a FastL4 profile and an HTTP, FIX, and/or hash persistence prof END> Firewalls

To work around this issue, administrators can enable the HTTP strict-transport-security profile. Fixed in version 15.1.4. This issue was previously documented as CVE-2017-10911.

Impact:

Virtual server may stop processing new client connections.

Workaround:

Enable the HTTP strict-transport-security profile. Fixed in version 15.1.4. This issue was previously documented as CVE-2017-10912.
Reoccurance:

An attacker may exploit an undisclosed issue to cause the virtual server to stop processing new client connections.

Impact:

Virtual server may stop processing new client connections.
Workaround:

Enable the HTTP strict-transport-security profile. Fixed in version 15.1.4. This issue was previously documented as CVE-2017-10913.

CVE-2023-23028 Impact:

Virtual server may stop processing new client connections.
Workaround:

Enable the HTTP strict-transport-security profile. Fixed in version 15.1.4. This issue was previously documented as CVE-2017-10914

Virtual Server Exposes Internal Network to the Internet

Doing so revealed server information and prompted further attacks.

Impact:

Attackers may exploit an undisclosed issue to cause the virtual server to stop processing new client connections.

Vulnerable version

Virtual Server, version 15.1.3 and earlier
Workaround:

Enable the HTTP strict-transport-security profile. Fixed in version 15.1.4. This issue was previously documented as CVE-2017-10914.

Timeline

Published on: 01/25/2022 20:15:00 UTC
Last modified on: 02/01/2022 17:40:00 UTC

References

• https://support.f5.com/csp/article/K30573026
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23027