Brace for impact
Networking and application delivery technology vendor F5 has fixed a pair of high impact, web security-related vulnerabilities.
First up for triage was a code injection risk involving F5’s NGINX Controller API Management technology, which allows DevOps teams to “define, publish, secure, monitor, and analyze APIs”.
Catch up on the latest cybersecurity vulnerability news
The vulnerability – tracked as CVE-2022-23008 – earns a CVSS score of 8.7, marking it out as the highest severity flaw in F5’s latest patch batch.
Successful exploitation of the flaw would allow an attacker to read and/or write files on the NGINX data plane instance. The vulnerability was discovered internally by F5.
Users are advised to upgrade to version 3.19.1.
BIG-IP load balancer
The flaw earns a CVSS score of 7.5, marking it out as another high severity threat. The issue was also discovered internally by engineers from F5.
F5’s latest quarterly patch batch addresses a total of 15 ‘high’ severity vulnerabilities, nine ‘medium’ risk flaws, and one ‘low’ severity bug. Many of the flaws involve memory handling or system crashing (denial of service) risks.
A full breakdown on the content of the patches, released last Wednesday (January 19), together with suggested remediation advice, can be found in F5’s related security advisory.
YOU MAY ALSO LIKE SSRF vulnerability in VMWare authentication software could allow access to user data