|CERT-In Vulnerability Note
Multiple Vulnerabilities in F5 Products
Original Issue Date:May 24, 2022
Severity Rating: HIGH
- F5 BIG-IP APM Clients versions (13.x, 14.x, 15.x, 16.x, 17.x)
- F5 BIG-IP (all modules) versions (17.0.0, 16.1.2, 16.1.1, 16.1.0, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0)
- F5 BIG-IQ Centralized Management versions (8.2.0, 8.1.0, 8.0.0, 7.1.0, 7.0.0)
- F5OS, F5OS-C, F5OS-A versions (1.3.2, 1.3.1, 1.3.0, 1.2.2, 1.2.1, 1.2.0, 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0, 1.0.1, 1.0.0)
- F5 Traffix SDC versions (5.2.0, 5.1.0)
- F5 App Protect, F5 SSL Orchestrator, F5 DDoS Hybrid Defender versions (17.0.0, 16.1.1, 16.1.0, 15.1.1, 15.1.0, 14.1.4, 14.1.2, 14.1.0)
Multiple vulnerabilities have been reported in F5 products which could be exploited by a remote attacker to execute arbitrary code or cause denial of service conditions on a targeted system.
1. zlib Memory Corruption Vulnerability
This vulnerability exists in zlib library used by F5 products due to a memory corruption in the deflate operation (i.e., when compressing) if the input has many distant matches.
Successful exploitation of this vulnerability could allow the attacker to cause denial of service conditions on the targeted system.
2. Diffie-Hellman Key Agreement Protocol Vulnerability
This vulnerability exists in F5 products due to improper input validation. A remote attacker could exploit this vulnerability by sending specially-crafted input to the affected system.
Successful exploitation of this vulnerability could allow a remote attacker to trigger expensive server-side DHE modular-exponentiation calculations, also known as a D(HE)ater attack to cause denial of service conditions on the targeted system.
3. DHCP Stack-overflow Vulnerability
This vulnerability exists in F5 products due to improper parsing of data with colon-separated hex digits in config or lease files in dhcpd and dhclient. A network adjacent attacker could exploit this vulnerability by supplying crafted input files to the affected system.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system.
Apply appropriate updates as mentioned security advisory:
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003