On March 10th, 2021, F5 announced four critical CVEs, along with three related CVEs (two high and one medium).
The seven (7) related vulnerabilities are as follows:
K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 The iControl REST interface has an unauthenticated remote command execution vulnerability.
CVSS score: 9.8 (Critical)
K18132488: Appliance Mode TMUI authenticated remote command execution vulnerability CVE-2021-22987 When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 9.9 (Critical)
K70031188: TMUI authenticated remote command execution vulnerability CVE-2021-22988 TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 8.8 (High)
K56142644: Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989 When running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 8.0 (High)
K45056101: Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990 On systems with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 6.6 (Medium)
K56715231: TMM buffer-overflow vulnerability CVE-2021-22991 Undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE).
CVSS score: 9.0 (Critical)
K52510511: Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.