F5 hurriedly squashes BIG-IP remote code execution bug

F5 hurriedly squashes BIG-IP remote code execution bug

October 27, 2023 at 01:39PM

F5 has released a fix for a critical remote code execution (RCE) vulnerability in its BIG-IP suite, marked with a severity score of 9.8 out of 10. The vulnerability, tracked as CVE-2023-46747, could allow attackers to compromise the system. F5 has advised users to upgrade affected versions to the latest release or apply temporary mitigations. However, there are no fixes available yet for two other bugs impacting BIG-IP, including an SQL injection vulnerability. Praetorian researchers, who discovered the RCE vulnerability, have not disclosed full details to allow time for the patches to be applied.

Meeting Takeaways:

1. F5 has released a fix for a remote code execution (RCE) bug in its BIG-IP suite. The bug was initially discovered by researchers at Praetorian and is the third major RCE bug to impact BIG-IP since 2020.

2. The vulnerability, tracked as CVE-2023-46747, has a severity score of 9.8 out of 10 on the CVSS scale. If exploited, it could lead to total system compromise.

3. The affected versions of BIG-IP that should be upgraded to the latest version are: 17.1.0, 16.1.0-16.1.4, 15.1.0-15.1.10, 14.1.0-14.1.5, and 13.1.0-13.1.5. There are hotfixes available for all affected versions.

4. F5’s advisory states that no other products other than BIG-IP are affected by the vulnerability.

5. Temporary mitigations have been provided by F5 for those unable to upgrade immediately.

6. The disclosure process with F5 initially faced delays, but after realizing the flaw may be known outside of those involved in the disclosure, F5 quickly decided to release the advisory and hotfix sooner.

7. F5 was made aware of the bug by an independent researcher who approached the vendor.

8. Along with the RCE bug, there are two other bugs impacting BIG-IP. One involves cache poisoning and the other is an SQL injection vulnerability. There are currently no fixes available for the cache poisoning issue.

9. The RCE bug is defined as an Apache JServ Protocol (AJP) smuggling vulnerability and requires an AJP connector on Tomcat for exploitation.

10. The Praetorian researchers will release more information about the vulnerability once enough time has passed for organizations to apply the hotfixes.

11. It is recommended for organizations with an F5 config panel on the internet to take the vulnerability seriously and apply the necessary patches.

Full Article