SB2024050926 - Multiple vulnerabilities in F5 BIG-IP Next Central Manager API

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2024-26026)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the API. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

2) SQL injection (CVE-ID: CVE-2024-21793)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the API interface. A remote non-authenticated attacker can send a specially crafted HTTP request to perform OData injection and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

3) Improper Certificate Validation (CVE-ID: CVE-2024-33612)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper certificate validation. A remote attacker can impersonate an Instance Provider system and perform MitM attack.

Remediation

Install update from vendor's website.

References

• https://my.f5.com/manage/s/article/K000138733
• https://my.f5.com/manage/s/article/K000138732
• https://my.f5.com/manage/s/article/K000139012