                                                   JPCERT-AT-2021-0014
                                                             JPCERT/CC
                                                            2021-03-22

                 <<< JPCERT/CC Alert 2021-03-22 >>>

Alert Regarding Vulnerability (CVE-2021-22986) in Multiple BIG-IP Products

       https://www.jpcert.or.jp/english/at/2021/at210014.html


I. Overview
On March 10, 2021 (Local Time), F5 Networks has released information
regarding multiple vulnerabilities in BIG-IP products. An
unauthenticated remote attacker leveraging these vulnerabilities may
execute arbitrary code.

    F5 Networks
    K02566623: Overview of F5 vulnerabilities (March 2021)
    https://support.f5.com/csp/article/K02566623

As for the remote command execution vulnerability in iControl REST
interface (CVE-2021-22986) among these vulnerabilities, JPCERT/CC
confirmed the Proof-of-Concept codes had already been made public, and
also observed the information of scanning activities targeting the
vulnerability and traffic which appeared to exploit this vulnerability.
Users of affected products are recommended to take measures as soon as
possible. For more information on the vulnerability, please refer to
the information provided by F5 Networks.

    F5 Networks
    K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
    https://support.f5.com/csp/article/K03009991


II. Affected Products
The following products and versions are affected by the vulnerability
(CVE-2021-22986):

  BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
  - 16.x versions from 16.0.0 to 16.0.1
  - 15.x versions from 15.1.0 to 15.1.2
  - 14.x versions from 14.1.0 to 14.1.3
  - 13.x versions from 13.1.0 to 13.1.3
  - 12.x versions from 12.1.0 to 12.1.5

  BIG-IQ Centralized Management
  - 7.x versions 7.1.0, 7.0.0
  - 6.x versions 6.0.0 to 6.1.0


III. Solution
F5 Networks released versions of the products addressing the
vulnerability (CVE-2021-22986). Please consider updating to the versions
after thorough testing.

  BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
  - 16.0.1.1
  - 15.1.2.1
  - 14.1.4
  - 13.1.3.6
  - 12.1.5.3

  BIG-IQ Centralized Management
  - 8.0.0
  - 7.1.0.3, 7.0.0.2

Also, F5 Networks has provided workarounds such as access restrictions
as a way to mitigate the impact caused by the vulnerability. If it is
difficult to apply update, please consider applying the workarounds.


IV. Related Information
Information has been released by the NCC Group on how to investigate
whether the system has already been impacted by the exploit of
the vulnerability.

    NCC Group
    RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
    https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/


V. References
    F5 Networks
    K04532512: Frequently asked questions for CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989, and CVE-2021-22990
    https://support.f5.com/csp/article/K04532512


If you have any information regarding this alert, please contact
JPCERT/CC.

======================================================================
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/