CVE-2021-22981F5 Big-ip Access Policy Manager vulnerability

4 documents4 sources
Severity
4.8MEDIUMNVD
EPSS
0.2%
top 54.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
14
F5 Big-ip Access Policy ManagerF5 Big-ip Advanced Firewall ManagerF5 Big-ip Advanced WEB Application Firewall+11 more
Timeline
PublishedFeb 12
Latest updateMay 24

Description

On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret (EMS) extension defined in RFC 7627. TLS connections that do not use EMS are vulnerable to man-in-the-middle attacks during renegotiation. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages15 packages

NVDf5/big-ip_analytics11.6.111.6.5+1
NVDf5/big-ip_link_controller11.6.111.6.5+1
NVDf5/big-ip_ssl_orchestrator11.6.111.6.5+1
NVDf5/big-ip_domain_name_system11.6.111.6.5+1
NVDf5/big-ip_ddos_hybrid_defender11.6.111.6.5+1

🔴Vulnerability Details

2
GHSA
GHSA-q9r3-wvmc-78qp: On all versions of BIG-IP 122022-05-24
CVEList
CVE-2021-22981: On all versions of BIG-IP 122021-02-12

📋Vendor Advisories

1
F5
CVE-2021-22981: On all versions of BIG-IP 122021-02-12
CVE-2021-22981 — F5 vulnerability | cvebase