CVE-2022-1388: On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

KEVITWEXPLOIT

CISA Known Exploited Vulnerabilitydue 2022-05-31

Exploited in the wild

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Affected

84 ranges· showing 25

Vendor	Product	Version range	Fixed in
f5	big-ip	11.6.x – 11.6.5	—
f5	big-ip	12.1.x – 12.1.6	—
f5	big-ip	>= 13.1.x < 13.1.5	13.1.5
f5	big-ip	>= 14.1.x < 14.1.4.6	14.1.4.6
f5	big-ip	>= 15.1.x < 15.1.5.1	15.1.5.1
f5	big-ip	>= 16.1.x < 16.1.2.2	16.1.2.2
f5	big-ip_aam	—	—
f5	big-ip_access_policy_manager	11.6.1 – 11.6.5	—
f5	big-ip_access_policy_manager	12.1.0 – 12.1.6	—
f5	big-ip_access_policy_manager	>= 13.1.0 < 13.1.5	13.1.5
f5	big-ip_access_policy_manager	>= 14.1.0 < 14.1.4.6	14.1.4.6
f5	big-ip_access_policy_manager	>= 15.1.0 < 15.1.5.1	15.1.5.1
f5	big-ip_access_policy_manager	>= 16.1.0 < 16.1.2.2	16.1.2.2
f5	big-ip_advanced_firewall_manager	11.6.1 – 11.6.5	—
f5	big-ip_advanced_firewall_manager	12.1.0 – 12.1.6	—
f5	big-ip_advanced_firewall_manager	>= 13.1.0 < 13.1.5	13.1.5
f5	big-ip_advanced_firewall_manager	>= 14.1.0 < 14.1.4.6	14.1.4.6
f5	big-ip_advanced_firewall_manager	>= 15.1.0 < 15.1.5.1	15.1.5.1
f5	big-ip_advanced_firewall_manager	>= 16.1.0 < 16.1.2.2	16.1.2.2
f5	big-ip_afm	—	—
f5	big-ip_analytics	—	—
f5	big-ip_analytics	11.6.1 – 11.6.5	—
f5	big-ip_analytics	12.1.0 – 12.1.6	—
f5	big-ip_analytics	>= 13.1.0 < 13.1.5	13.1.5
f5	big-ip_analytics	>= 14.1.0 < 14.1.4.6	14.1.4.6

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vulncheck9.8CRITICAL

cisa9.8CRITICAL