F5F5:K000130496K000130496 : Overview of F5 vulnerabilities (February 2023)
Security Advisory Description
On February 1, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.
Important: Customers who upgrade to 15.1.8, 15.1.8.1, or 15.1.8.2 will be unable to upgrade to 16.1.x or 17.0.x at this time. Upgrades from 15.1.8.x to 17.1.x are not affected. For more information, refer to Bug ID 1161913: Upgrades from 15.1.8, 15.1.8.1, or 15.1.8.2 to 16.1.x or 17.0.x (but not 17.1.x) fail, and leave device INOPERATIVE.
Distributed Cloud and Managed Services
| Service | Status |
|---|---|
| F5 Distributed Cloud Services | Does not affect or has been resolved |
| Silverline | Does not affect or has been resolved |
| F5 Distributed Cloud App Infrastructure Protection (AIP) | Does not affect or has been resolved |
- High CVEs
- Medium CVEs
High CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|
| K000130415: iControl SOAP vulnerability CVE-2023-22374 | 8.5 | BIG-IP (all modules) | 17.0.0 | |
| 16.1.2.2 - 16.1.3 | ||||
| 15.1.5.1 - 15.1.8 | ||||
| 14.1.4.6 - 14.1.5 | ||||
| 13.1.5 | 17.1.0 | |||
| 16.1.3.4 | ||||
| 15.1.8.2 | ||||
| 14.1.5.4 | ||||
| K76964818: BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 | 7.8 | BIG-IP (APM) | 17.0.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.8 | ||||
| 14.1.0 - 14.1.5 | ||||
| 13.1.0 - 13.1.5 |
17.1.0
17.0.0.2
16.1.3.4
15.1.8.2
BIG-IP APM Clients| 7.2.2 - 7.2.3| 7.2.4
7.2.3.1
K08182564: BIG-IP SIP profile vulnerability CVE-2023-22842| 7.5| BIG-IP (all modules)| 16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5| 17.0.0
16.1.3.3
15.1.8.1
14.1.5.3
K56412001: BIG-IP SSL OCSP Authentication profile vulnerability CVE-2023-22323| 7.5| BIG-IP (all modules)| 17.0.0
16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5| 17.1.0
17.0.0.2
16.1.3.3
15.1.8.1
14.1.5.3
K46048342: BIG-IP AFM vulnerability CVE-2023-22281| 7.5| BIG-IP (all modules)| 17.0.0
16.1.0 - 16.1.3
15.1.0 - 15.1.7
14.1.0 - 14.1.5
13.1.0 - 13.1.5| 17.1.0
17.0.0.2
16.1.3.3
15.1.8
14.1.5.3
K20717585: BIG-IP APM OAuth vulnerability CVE-2023-22341| 7.5| BIG-IP (APM)| 14.1.0 - 14.1.5
13.1.0 - 13.1.5| 14.1.5.3
K56676554: BIG-IP HTTP/2 profile vulnerability CVE-2023-22664| 7.5| BIG-IP (all modules)| 17.0.0
16.1.0 - 16.1.3| 17.1.0
17.0.0.2
16.1.3.3
BIG-IP SPK| 1.6.0| 1.7.0
K34525368: BIG-IP SIP profile vulnerability CVE-2023-22340| 7.5| BIG-IP (all modules)| 16.1.0 - 16.1.3
15.1.0 - 15.1.7
14.1.0 - 14.1.5
13.1.0 - 13.1.5| 16.1.3.3
15.1.8
14.1.5.3
K17542533: BIG-IP Advanced WAF and ASM vulnerability CVE-2023-23552| 7.5| BIG-IP (ASM)| 17.0.0
16.1.0 - 16.1.3
15.1.0 - 15.1.7
14.1.0 - 14.1.5
13.1.0 - 13.1.5| 17.1.0
17.0.0.2
16.1.3.3
15.1.8
14.1.5.3
K37708118: BIG-IP DNS profile vulnerability CVE-2023-22839| 7.5| BIG-IP (DNS, LTM with DNS Services license)| 17.0.0
16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5| 17.1.0
17.0.0.2
16.1.3.3
15.1.8.1
14.1.5.3
K24572686: BIG-IP Virtual Edition vulnerability CVE-2023-23555| 7.5| BIG-IP (all modules)| 15.1.4 - 15.1.7
14.1.5| 15.1.8
14.1.5.3
BIG-IP SPK| 1.5.0| 1.6.0
K06345931: F5OS vulnerability CVE-2023-22657| 7.5| F5OS-A| 1.2.0
1.1.0 - 1.1.1
1.0.0 - 1.0.1| 1.3.0
F5OS-C| 1.3.0 - 1.3.2| 1.5.0
K43881487: HTTP profile vulnerability CVE-2023-22422| 7.5| BIG-IP (all modules)| 17.0.0
16.1.0 - 16.1.3| 17.1.0
17.0.0.2
16.1.3.3
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
2F5 has fixed this issue in an engineering hotfix that is available for supported versions of the BIG-IP system. Customers affected by this issue can download the engineering hotfix for the latest supported versions of BIG-IP from the MyF5 Downloads page. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.
Medium CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
|---|---|---|---|---|
| K07143733: BIG-IP Edge Client for Windows vulnerability CVE-2023-22283 | 6.3 | BIG-IP (APM) | 17.0.0 | |
| 16.1.0 - 16.1.3 | ||||
| 15.1.0 - 15.1.8 | ||||
| 14.1.0 - 14.1.5 | ||||
| 13.1.0 - 13.1.5 | 17.1.0 | |||
| 17.0.0.2 | ||||
| BIG-IP APM Clients | 7.2.2 - 7.2.3 | 7.2.4 | ||
| 7.2.3.1 | ||||
| K95503300: BIG-IP APM virtual server vulnerability CVE-2023-22418 | 6.1 | BIG-IP (APM) | 17.0.0 | |
| 16.1.0 -16.1.3 | ||||
| 15.1.0 - 15.1.6 | ||||
| 14.1.0 - 14.1.5 | 17.0.0.2 | |||
| 16.1.3.3 | ||||
| 15.1.7 | ||||
| 14.1.5.3 | ||||
| K58550078: BIG-IP HTTP profile vulnerability CVE-2023-22302 | 5.9 | BIG-IP (all modules) | 17.0.0 | |
| 16.1.2.2 -16.1.3 | 17.1.0 | |||
| 17.0.0.2 | ||||
| 16.1.3.3 | ||||
| K83284425: iControl REST and tmsh vulnerability CVE-2023-22326 | 4.9 | BIG-IP (all modules) | 17.0.0 | |
| 16.1.0 -16.1.3 | ||||
| 15.1.0 - 15.1.8 | ||||
| 14.1.0 - 14.1.5 | ||||
| 13.1.0 - 13.1.5 | 17.0.0.2 | |||
| 16.1.3.3 | ||||
| 15.1.8.1 | ||||
| 14.1.5.3 | ||||
| BIG-IQ Centralized Management | 8.0.0 - 8.2.0 | |||
| 7.1.0 | None |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Related
