Details of VAR-202103-0817

ID

VAR-202103-0817

CVE

CVE-2021-22997

TITLE

BIG-IQ Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-005101

DESCRIPTION

On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. BIG-IQ Contains an authentication vulnerability.Information may be obtained. F5 BIG-IQ is a set of software-based cloud management solutions from F5 Corporation of the United States. The solution supports the deployment of application delivery and network services across public and private clouds, traditional data centers and hybrid environments

Trust: 1.71

sources: NVD: CVE-2021-22997 // JVNDB: JVNDB-2021-005101 // VULHUB: VHN-381483

AFFECTED PRODUCTS

vendor:	f5	model:	big-iq centralized management	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	lt	version:	8.0.0	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	eq	version:	7.x	Trust: 0.8
vendor:	f5	model:	big-iq centralized management	scope:	eq	version:	6.x	Trust: 0.8
vendor:	f5	model:	big-iq centralized management	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-005101 // NVD: CVE-2021-22997

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-22997
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-22997
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202103-824
value:	HIGH
Trust: 0.6
VULHUB:	VHN-381483
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-22997
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-381483
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-22997
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22997
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-381483 // JVNDB: JVNDB-2021-005101 // CNNVD: CNNVD-202103-824 // NVD: CVE-2021-22997

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.1
problemtype:	Improper authentication (CWE-287) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-381483 // JVNDB: JVNDB-2021-005101 // NVD: CVE-2021-22997

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-824

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202103-824

PATCH

title:	K34074377	url:	https://support.f5.com/csp/article/K34074377	Trust: 0.8
title:	F5 BIG-IP Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=146566	Trust: 0.6
title:	F5_Vulnerability	url:	https://github.com/DNTYO/F5_Vulnerability	Trust: 0.1

sources: VULMON: CVE-2021-22997 // JVNDB: JVNDB-2021-005101 // CNNVD: CNNVD-202103-824

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22997	Trust: 2.6
db:	JVNDB	id:	JVNDB-2021-005101	Trust: 0.8
db:	CNNVD	id:	CNNVD-202103-824	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.0867	Trust: 0.6
db:	VULHUB	id:	VHN-381483	Trust: 0.1
db:	VULMON	id:	CVE-2021-22997	Trust: 0.1

sources: VULHUB: VHN-381483 // VULMON: CVE-2021-22997 // JVNDB: JVNDB-2021-005101 // CNNVD: CNNVD-202103-824 // NVD: CVE-2021-22997

REFERENCES

url:	https://support.f5.com/csp/article/k34074377	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22997	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2021.0867	Trust: 0.6
url:	https://github.com/dntyo/f5_vulnerability	Trust: 0.1

sources: VULHUB: VHN-381483 // VULMON: CVE-2021-22997 // JVNDB: JVNDB-2021-005101 // CNNVD: CNNVD-202103-824 // NVD: CVE-2021-22997

SOURCES

db:	VULHUB	id:	VHN-381483
db:	VULMON	id:	CVE-2021-22997
db:	JVNDB	id:	JVNDB-2021-005101
db:	CNNVD	id:	CNNVD-202103-824
db:	NVD	id:	CVE-2021-22997

LAST UPDATE DATE

2024-11-23T22:47:40.990000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-381483	date:	2022-07-12T00:00:00
db:	VULMON	id:	CVE-2021-22997	date:	2021-04-06T00:00:00
db:	JVNDB	id:	JVNDB-2021-005101	date:	2021-12-07T09:09:00
db:	CNNVD	id:	CNNVD-202103-824	date:	2022-07-14T00:00:00
db:	NVD	id:	CVE-2021-22997	date:	2024-11-21T05:51:05.597

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-381483	date:	2021-03-31T00:00:00
db:	VULMON	id:	CVE-2021-22997	date:	2021-03-31T00:00:00
db:	JVNDB	id:	JVNDB-2021-005101	date:	2021-12-07T00:00:00
db:	CNNVD	id:	CNNVD-202103-824	date:	2021-03-11T00:00:00
db:	NVD	id:	CVE-2021-22997	date:	2021-03-31T18:15:15.037