Brace for impact

F5 latest patch batch addresses two high-impact web security vulnerabilities

Networking and application delivery technology vendor F5 has fixed a pair of high impact, web security-related vulnerabilities.

First up for triage was a code injection risk involving F5’s NGINX Controller API Management technology, which allows DevOps teams to “define, publish, secure, monitor, and analyze APIs”.

F5 explains: “An authenticated attacker with access to the ‘user’ or ‘admin’ role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.”

Catch up on the latest cybersecurity vulnerability news

The vulnerability – tracked as CVE-2022-23008 – earns a CVSS score of 8.7, marking it out as the highest severity flaw in F5’s latest patch batch.

Successful exploitation of the flaw would allow an attacker to read and/or write files on the NGINX data plane instance. The vulnerability was discovered internally by F5.

Users are advised to upgrade to version 3.19.1.

BIG-IP load balancer

Also of note is a DOM-based cross-site scripting (XSS) vulnerability involving F5’s BIG-IP load balancer. The CVE-2022-23013 vulnerability in BIG-IP configuration utility could allow an attacker to execute JavaScript in the context of the current logged-in user.

The flaw earns a CVSS score of 7.5, marking it out as another high severity threat. The issue was also discovered internally by engineers from F5.

F5’s latest quarterly patch batch addresses a total of 15 ‘high’ severity vulnerabilities, nine ‘medium’ risk flaws, and one ‘low’ severity bug. Many of the flaws involve memory handling or system crashing (denial of service) risks.

A full breakdown on the content of the patches, released last Wednesday (January 19), together with suggested remediation advice, can be found in F5’s related security advisory.

YOU MAY ALSO LIKE SSRF vulnerability in VMWare authentication software could allow access to user data