Main Vulnerability Database SB2021031608

SB2021031608 - Remote authenticated command execution in BIg-IP Appliance mode Advanced WAF/ASM TMUI

Published: March 16, 2021

Security Bulletin ID SB2021031608

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) OS Command Injection (CVE-ID: CVE-2021-22989)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the Traffic Management User Interface (TMUI), when running in Appliance mode with Advanced WAF or ASM provisioned. A remote privileged user with the roles Administrator, Resource Administrator, or Application Security Administrator with network access to the Configuration utility, through the BIG-IP management port or self IP addresses can send specially crafted request to the system and execute arbitrary OS commands.

Remediation

Install update from vendor's website.

References

https://support.f5.com/csp/article/K56142644