Deserialization of Untrusted Data in F5 BIG-IP DNS



Published: 2022-08-05
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-33947
CWE-ID CWE-502
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		BIG-IP DNS
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor F5 Networks

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Deserialization of Untrusted Data

EUVDB-ID: #VU66145

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-33947

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insecure input validation when processing serialized data in the Traffic Management User Interface (TMUI). A remote user can cause the Tomcat process to restart and perform unauthorized DNS requests and operations through undisclosed requests.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

BIG-IP DNS: 13.1.0 - 16.1.2

Fixed software versions

CPE2.3 External links

http://support.f5.com/csp/article/K38893457


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###