On October 19, 2022, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory.
You can watch the October 2022 Quarterly Security Notification briefing by DevCentral in the following video:
Distributed Cloud and Managed Services
Service | Status |
---|---|
F5 Distributed Cloud Services | Does not affect or has been resolved |
Silverline | Does not affect or has been resolved |
Threat Stack | Does not affect or has been resolved |
High CVEs
Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
---|---|---|---|---|
K33484483: F5OS vulnerability CVE-2022-41835 | 8.8 | F5OS-A | 1.0.0 - 1.0.1 | 1.1.0 |
F5OS-C | 1.3.0 - 1.3.2 | 1.5.0 | ||
K43024307: BIG-IP iRules vulnerability CVE-2022-41624 | 7.5 | BIG-IP (all modules) | 17.0.0 | |
16.1.0 - 16.1.3 | ||||
15.1.0 - 15.1.6 | ||||
14.1.0 - 14.1.5 | ||||
13.1.0 - 13.1.5 | 17.1.0 | |||
17.0.0.1 | ||||
16.1.3.2 | ||||
15.1.7 | ||||
14.1.5.2 | ||||
13.1.5.1 | ||||
K02694732: BIG-IP Advanced WAF and ASM bd vulnerability CVE-2022-41691 | 7.5 | BIG-IP (Advanced WAF, ASM) | 14.1.5 | 14.1.5.2 |
K70569537: BIG-IP DNS Express vulnerability CVE-2022-41787 | 7.5 | BIG-IP (DNS, LTM enabled with DNS Services license) | 17.0.0 | |
16.1.0 - 16.1.3 | ||||
15.1.0 - 15.1.6 | ||||
14.1.0 - 14.1.5 | ||||
13.1.0 - 13.1.5 | 17.1.0 | |||
17.0.0.1 | ||||
16.1.3.1 | ||||
15.1.6.1 | ||||
14.1.5.1 | ||||
13.1.5.1 | ||||
K00721320: BIG-IP AFM NAT64 policy vulnerability CVE-2022-41806 | 7.5 | BIG-IP (AFM) | 16.1.0 - 16.1.3 | |
15.1.0 - 15.1.5 | 17.0.0 | |||
16.1.3.2 | ||||
15.1.5.1 | ||||
K10347453: BIG-IP SIP profile vulnerability CVE-2022-41832 | 7.5 | BIG-IP (all modules) | 17.0.0 | |
16.1.0 - 16.1.3 | ||||
15.1.0 - 15.1.6 | ||||
14.1.0 - 14.1.5 | ||||
13.1.0 - 13.1.5 | 17.1.0 | |||
17.0.0.1 | ||||
16.1.3.1 | ||||
15.1.6.1 | ||||
14.1.5.1 | ||||
13.1.5.1 | ||||
K69940053: BIG-IP iRules vulnerability CVE-2022-41833 | 7.5 | BIG-IP (all modules) | 13.1.0 - 13.1.5 | 14.1.0 |
K47204506: BIG-IP Advanced WAF and ASM bd vulnerability CVE-2022-41836 | 7.5 | BIG-IP (Advanced WAF, ASM) | 17.0.0 | |
16.1.0 - 16.1.3 | ||||
15.1.0 - 15.1.6 | 17.1.0 | |||
17.0.0.1 | ||||
16.1.3.1 | ||||
15.1.7 | ||||
K11830089: BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2022-41617 | 7.2 - Standard deployment mode | BIG-IP (Advanced WAF, ASM) | 16.1.0 - 16.1.3 | |
15.1.0 - 15.1.6 | ||||
14.1.0 - 14.1.5 | ||||
13.1.0 - 13.1.5 | 17.0.0 | |||
16.1.3.1 | ||||
15.1.6.1 | ||||
14.1.5.1 | ||||
13.1.5.1 | ||||
9.1 - Appliance mode | ||||
K28112382: NGINX ngx_http_mp4_module vulnerability CVE-2022-41742 | 7.1 | NGINX Plus | R22 - R27 | R27 P1 |
R26 P1 | ||||
NGINX Open Source Subscription | R1 - R2 | R2 P1 | ||
R1 P1 | ||||
NGINX Open Source | 1.23.0 - 1.23.1 | |||
1.1.3 - 1.22.0 | 1.23.2 | |||
1.22.1 | ||||
NGINX Ingress Controller | 2.0.0 - 2.4.0 | |||
1.9.0 - 1.12.4 | 2.4.1 | |||
1.12.5 | ||||
K81926432: NGINX ngx_http_mp4_module vulnerability CVE-2022-41741 | 7.0 | NGINX Plus | R22 - R27 | R27 P1 |
R26 P1 | ||||
NGINX Open Source Subscription | R1 - R2 | R2 P1 | ||
R1 P1 | ||||
NGINX Open Source | 1.23.0 - 1.23.1 | |||
1.1.3 - 1.22.0 | 1.23.2 | |||
1.22.1 | ||||
NGINX Ingress Controller | 2.0.0 - 2.4.0 | |||
1.9.0 - 1.12.4 | 2.4.1 | |||
1.12.5 | ||||
K01112063: NGINX ngx_http_hls_module vulnerability CVE-2022-41743 | 7.0 | NGINX Plus | R22 - R27 | R27 P1 |
R26 P1 | ||||
NGINX Ingress Controller | 2.0.0 - 2.4.0 | |||
1.9.0 - 1.12.4 | 2.4.1 | |||
1.12.5 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Medium CVEs
Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
---|---|---|---|---|
K22505850: BIG-IP and BIG-IQ iControl REST vulnerability CVE-2022-41770 | 6.5 | BIG-IP (all modules) | 17.0.0 | |
16.1.0 - 16.1.3 | ||||
15.1.0 - 15.1.6 | ||||
14.1.0 - 14.1.5 | ||||
13.1.0 - 13.1.5 | 17.1.0 | |||
17.0.0.1 | ||||
16.1.3.1 | ||||
15.1.7 | ||||
14.1.5.1 | ||||
BIG-IQ Centralized Management | 8.0.0 - 8.2.0 | |||
7.1.0 | None | |||
K93723284: BIG-IP PEM and AFM TMUI, TMSH, and iControl REST vulnerability CVE-2022-41813 | 6.5 | BIG-IP (AFM, PEM) | 16.1.0 - 16.1.3 | |
15.1.0 - 15.1.6 | ||||
14.1.0 - 14.1.4 | ||||
13.1.0 - 13.1.5 | 17.0.0 | |||
16.1.3.1 | ||||
15.1.6.1 | ||||
14.1.5 | ||||
K81701735: F5OS CLI vulnerability CVE-2022-41780 | 5.5 | F5OS-A | 1.0.0 - 1.0.1 | 1.1.0 |
F5OS-C | 1.1.0 - 1.3.2 | 1.4.0 | ||
K52494562: BIG-IP software SYN cookies vulnerability CVE-2022-36795 | 5.3 | BIG-IP (all modules) | 17.0.0 | |
16.1.0 - 16.1.3 | ||||
15.1.0 - 15.1.6 | ||||
14.1.0 - 14.1.5 | 17.1.0 | |||
17.0.0.1 | ||||
16.1.3.1 | ||||
15.1.7 | ||||
14.1.5.1 | ||||
K64829234: BIG-IP and BIG-IQ mcpd vulnerability CVE-2022-41694 | 4.9 | BIG-IP (all modules) | 16.1.0 - 16.1.2 | |
15.1.0 - 15.1.6 | ||||
14.1.0 - 14.1.4 | ||||
13.1.0 - 13.1.5 | 17.0.0 | |||
16.1.3 | ||||
15.1.6.1 | ||||
14.1.5 | ||||
BIG-IQ Centralized Management | 8.0.0 - 8.2.0 | |||
7.1.0 | 8.2.0.1 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Low CVEs
Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
---|---|---|---|---|
K31523465: BIG-IP TMM vulnerability CVE-2022-41983 | 3.7 | BIG-IP (all modules) | 16.1.0 - 16.1.3 | |
15.1.0 - 15.1.6 | ||||
14.1.0 - 14.1.5 | ||||
13.1.0 - 13.1.5 | 17.0.0 | |||
16.1.3.1 | ||||
15.1.7 | ||||
14.1.5.1 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Security Exposures
Security Advisory (Exposure) | Affected products | Affected versions1 | Fixes introduced in |
---|---|---|---|
K49237345: BIG-IP Advanced WAF, ASM, and NGINX App Protect WAF XML encoding security exposure | BIG-IP (Advanced WAF, ASM) | 16.1.0 - 16.1.2 | |
15.1.0 - 15.1.5 | |||
14.1.0 - 14.1.4 | |||
13.1.0 - 13.1.4 | 17.0.0 | ||
16.1.2.2 | |||
15.1.5.1 | |||
14.1.4.6 | |||
13.1.5 | |||
NGINX App Protect WAF | 3.0.0 - 3.11.0 | ||
2.0.0 - 2.3.0 | 3.12.0 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.