F5 Releases Security Update for Vulnerability in BIG-IP

Security update addresses an SQL injection vulnerability in BIG-IP

Threat ID:: CC-4402
Threat Severity:: Medium
Published:: 1 November 2023 2:40 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security update addresses an SQL injection vulnerability in BIG-IP

Affected platforms

The following platforms are known to be affected:

F5 BIG-IP (All Modules)

Versions affected:

17.1.0 - 17.1.1
16.1.0 - 16.1.4
15.1.0 - 15.1.10
14.1.0 - 14.1.5
13.1.0 - 13.1.5

Threat details

Introduction

F5 have released a security update addressing an SQL injection vulnerability within BIG-IP. This vulnerability has a CVSSv3 score of 8.8 and is being tracked as CVE-2023-46748.

This vulnerability could allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands.

Exploitation in the wild of CVE-2023-46748

F5 have stated that this vulnerability has been observed being actively exploited in the wild.

Remediation advice

Affected organisations are encouraged to review the F5 Security Advisory and apply any relevant updates or mitigations.

Definitive source of threat updates

https://my.f5.com/manage/s/article/K000137365

CVE Vulnerabilities

Status Published

CVE-2023-46748

An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Last edited: 1 November 2023 2:40 pm