- 57/2024
- High
F5 has released security updates to address several vulnerabilities in multiple F5 products.
The addressed vulnerabilities could allow the authenticated remote attacker to perform denial of service attacks, manipulate data, view, add, modify, or delete information in the back-end database, obtain sensitive information, bypass security restrictions, execute arbitrary commands, and gain access to the affected system.
Sample of the addressed vulnerabilities:
1. BIG-IP iControl REST Code Execution Vulnerability (CVE-2024-22093):
- CVSS: 8.7
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
2. F5 NGINX Plus and NGINX Open Source Denial of Service (CVE-2024-24990):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
3. F5 BIG-IP Security Bypass Vulnerability (CVE-2024-22389):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Bypass Security
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.