John Layden January 24, 2022 16:56 UTC
Updated: January 24, 2022 17:04 UTC
Prepare for impact
Network and application delivery technology vendor F5 has fixed two high-impact web security-related vulnerabilities.
The first to be classified is the code injection risk, which involves NGINX Controller API Management for F5 Technology that allows DevOps teams to “define, publish, secure, monitor and analyze APIs”.
F5 explains: “An authenticated attacker with access to the ‘User’ or ‘Administrator’ role can use an API endpoint that is not exposed on the NGINX Controller API Management to inject JavaScript executing on a managed NGINX data plane instance code.”
Stay up-to-date with the latest cybersecurity breach news
The vulnerability – tracked as CVE-2022-23008 – Received a CVSS score of 8.7, marking it as the most severe defect in the latest patch batch for F5.
Successful exploitation of this vulnerability would allow an attacker to read and/or write files on the NGINX data plane instance. The vulnerability was discovered internally by F5.
Users are advised to upgrade to version 3.19.1.
BIG-IP Load Balancer
Also of note is a DOM-based cross-site scripting (XSS) vulnerability involving F5’s BIG-IP load balancer.This CVE-2022-23013 A vulnerability in the BIG-IP configuration utility could allow an attacker to execute JavaScript in the context of the currently logged-in user.
The vulnerability has a CVSS score of 7.5, marking it as another high-severity threat. F5 engineers also discovered the problem internally.
F5’s latest quarterly patch batch addresses a total of 15 “high” severity vulnerabilities, nine “medium” risk vulnerabilities, and one “low” severity vulnerability. Many flaws involve memory handling or system crash (denial of service) risks.
A full breakdown of the content of the patch released last Wednesday (January 19), along with suggested fixes, can be found in the relevant documentation for F5 Safety Consulting.
you might also like SSRF Vulnerability in VMWare Authentication Software Could Allow Access to User Data
