Pinochle Cybersecurity: BIG-IP IControl REST Vulnerability CVE-2022-1388

Background

F5 Product Development has assigned IDs 1033837, 1051561, and 1052837 (BIG-IP) to this vulnerability. This issue has been classified as?CWE-306: Missing Authentication for Critical Function.

To determine if your product and version have been evaluated for this vulnerability and to determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to?K51812227: Understanding security advisory versioning.

Mitigation

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

• Block iControl REST access through the self IP address
• Block iControl REST access through the management interface
• Modify the BIG-IP httpd configuration

Speed to Security Intelligence

If you have an incident or need additional information on ways to detect and respond to cyber threats, contact a member of our CIFR team 24/7/365 by phone 1888-RISK-221 or e-mail?[email protected]?or?[email protected].