DESCRIPTION:
This vulnerability (CVE-2022-1388) may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary codes.
AFFECTED RELEASES:
The version of affacted BIG-IP(All modules) are below:
16.1.0-16.1.2
15.1.0-15.1.5
14.1.0-14.1.4
13.1.0-13.1.4
12.1.0-12.1.6
11.6.1-11.6.5
SOLUTION:
1. Users and system administrators of affected products are advised to refer the offocial webpage (https://support.f5.com/csp/article/K23605346) of “Security Advisory Status” part and apply the security updates listed below:
(1) Go to https://support.f5.com/csp/knowledge-center/software/BIG-IP?module=BIG-IP%20LTM.
(2) Download update package with your module and version and update to the latest version.
2. If the version you used don’t release patch, advice to upgrade to the version that still support and fixed.
3. If you can’t update to the latest version, please refer the official webpage (https://support.f5.com/csp/article/K23605346) of ”Trend Micro Protection” part, and take action below:
(1) Block iControl REST access through the self IP address
(2) Block iControl REST access through the management interface
(3) Modify the BIG-IP httpd configuration
REFERENCE:
1. https://www.ithome.com.tw/news/150831
2. https://nvd.nist.gov/vuln/detail/CVE-2022-1388
3. https://support.f5.com/csp/article/K23605346
4. https://support.f5.com/csp/knowledge-center/software/BIG-IP?module=BIG-IP%20LTM