CVE-2021-22997 — Missing Authentication for Critical Function in F5 Big-iq Centralized Management

CWE-306 — Missing Authentication for Critical Function CWE-287 — Improper Authentication4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 44.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-iq Centralized Management

Timeline

PublishedMar 31

Latest updateMay 24

Description

On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDf5/big-iq_centralized_management6.0.0 — 8.0.0

▶CVEListV5f5/big-iq_centralized_managementAll 7.x and 6.x versions

🔴Vulnerability Details

GHSA

GHSA-v9r8-fpcm-rhvm: On all 7↗2022-05-24

▶

CVEList

CVE-2021-22997: On all 7↗2021-03-31

▶

📋Vendor Advisories

CVE-2021-22997: On all 7↗2021-03-31

▶