CVE-2022-1388 vulnerability in F5 Networks Products
Published on May 5, 2022

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Vendor Advisory NVD

Known Exploited Vulnerability

This F5 BIG-IP Missing Authentication Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services.

The following remediation steps are recommended / required by May 31, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2022-1388 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Products Associated with CVE-2022-1388

You can be notified by stack.watch whenever vulnerabilities like CVE-2022-1388 are published in these products:

What versions are vulnerable to CVE-2022-1388?

F5 Networks Big Ip Access Policy Manager Version 11.6.1 through 11.6.5
F5 Networks Big Ip Advanced Firewall Manager Version 11.6.1 through 11.6.5
F5 Networks Big Ip Analytics Version 11.6.1 through 11.6.5
F5 Networks Big Ip Application Acceleration Manager Version 11.6.1 through 11.6.5
F5 Networks Big Ip Application Security Manager Version 11.6.1 through 11.6.5
F5 Networks Big Ip Domain Name System Version 11.6.1 through 11.6.5
F5 Networks Big Ip Fraud Protection Service Version 11.6.1 through 11.6.5
F5 Networks Big Ip Global Traffic Manager Version 11.6.1 through 11.6.5
F5 Networks Big Ip Link Controller Version 11.6.1 through 11.6.5
F5 Networks Big Ip Local Traffic Manager Version 11.6.1 through 11.6.5
F5 Networks Big Ip Policy Enforcement Manager Version 11.6.1 through 11.6.5
F5 Networks Big Ip Access Policy Manager Version 12.1.0 through 12.1.6
F5 Networks Big Ip Advanced Firewall Manager Version 12.1.0 through 12.1.6
F5 Networks Big Ip Analytics Version 12.1.0 through 12.1.6
F5 Networks Big Ip Domain Name System Version 12.1.0 through 12.1.6
F5 Networks Big Ip Application Acceleration Manager Version 12.1.0 through 12.1.6
F5 Networks Big Ip Fraud Protection Service Version 12.1.0 through 12.1.6
F5 Networks Big Ip Global Traffic Manager Version 12.1.0 through 12.1.6
F5 Networks Big Ip Link Controller Version 12.1.0 through 12.1.6
F5 Networks Big Ip Local Traffic Manager Version 12.1.0 through 12.1.6
F5 Networks Big Ip Policy Enforcement Manager Version 12.1.0 through 12.1.6
F5 Networks Big Ip Application Security Manager Version 12.1.0 through 12.1.6
F5 Networks Big Ip Analytics Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Analytics Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Analytics Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Analytics Version 13.1.0 Fixed in Version 13.1.5
F5 Networks Big Ip Advanced Firewall Manager Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Advanced Firewall Manager Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Advanced Firewall Manager Version 13.1.0 Fixed in Version 13.1.5
F5 Networks Big Ip Access Policy Manager Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Access Policy Manager Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Access Policy Manager Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Access Policy Manager Version 13.1.0 Fixed in Version 13.1.5
F5 Networks Big Ip Advanced Firewall Manager Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Application Acceleration Manager Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Application Acceleration Manager Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Application Acceleration Manager Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Application Acceleration Manager Version 13.1.0 Fixed in Version 13.1.5
F5 Networks Big Ip Application Security Manager Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Application Security Manager Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Application Security Manager Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Application Security Manager Version 13.1.0 Fixed in Version 13.1.5
F5 Networks Big Ip Fraud Protection Service Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Fraud Protection Service Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Fraud Protection Service Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Fraud Protection Service Version 13.1.0 Fixed in Version 13.1.5
F5 Networks Big Ip Domain Name System Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Domain Name System Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Domain Name System Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Domain Name System Version 13.1.0 Fixed in Version 13.1.5
F5 Networks Big Ip Policy Enforcement Manager Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Policy Enforcement Manager Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Policy Enforcement Manager Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Local Traffic Manager Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Local Traffic Manager Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Local Traffic Manager Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Local Traffic Manager Version 13.1.0 Fixed in Version 13.1.5
F5 Networks Big Ip Link Controller Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Link Controller Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Link Controller Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Link Controller Version 13.1.0 Fixed in Version 13.1.5
F5 Networks Big Ip Global Traffic Manager Version 16.1.0 Fixed in Version 16.1.2.2
F5 Networks Big Ip Global Traffic Manager Version 15.1.0 Fixed in Version 15.1.5.1
F5 Networks Big Ip Global Traffic Manager Version 14.1.0 Fixed in Version 14.1.4.6
F5 Networks Big Ip Global Traffic Manager Version 13.1.0 Fixed in Version 13.1.5
F5 Networks Big Ip Policy Enforcement Manager Version 13.1.0 Fixed in Version 13.1.5