CVE-2022-41617

Summary

In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, When the Advanced WAF / ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iControl REST interface.

Affected Software

VendorProductVersion RangeStatus
F5BIG-IP Advanced WAF & ASM17.0.0 < 17.0.x*unaffected
F5BIG-IP Advanced WAF & ASM16.1.x < 16.1.3.1affected
F5BIG-IP Advanced WAF & ASM15.1.x < 15.1.6.1affected
F5BIG-IP Advanced WAF & ASM14.1.x < 14.1.5.1affected
F5BIG-IP Advanced WAF & ASM13.1.x < 13.1.5.1affected

Weaknesses

  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References