QID 375888

Date Published: 2021-09-29

QID 375888: F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) TMUI Vulnerability (K42526507)

F5 BIG-IP ASM (Application Security Manager) is a flexible web application firewall that secures web applications in traditional, virtual, and private cloud environments.
F5 BIG-IP (LTM) Local Traffic Manager is the most popular module offered on F5 Networks BIG-IP platform. The real power of the LTM is it is a Full Proxy, allowing you to augment client and server side connections. All while making informed load balancing decisions on availability, performance, and persistence.
F5 BIG-IP Access Policy Manager (APM) is a secure, flexible, high-performance solution that provides unified global access to your network, cloud, and applications.

A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user. (CVE-2021-23041)

Vulnerable Component: BIG-IP ASM, APM, LTM

Affected Versions:
16.0.0 - 16.0.1.1
15.1.0 - 15.1.2
14.1.0 - 14.1.4.1
13.1.0 - 13.1.4.1
12.1.0 - 12.1.6

QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

An attacker may exploit this vulnerability by convincing an authenticated user to submit malicious HTML or JavaScript code in the BIG-IP Configuration utility. If successful, an attacker can run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell (bash), an attacker can leverage successful exploitation of this vulnerability to compromise the BIG-IP system.

  • CVSS V3 rated as High - 6.1 severity.
  • CVSS V2 rated as Medium - 4.3 severity.
  • Solution
    The vendor has released patch, for more information please visit: K42526507
    Vendor References

    CVEs related to QID 375888

    Software Advisories
    Advisory ID Software Component Link
    K42526507 URL Logo support.f5.com/csp/article/K42526507