Details of VAR-202205-0132

ID

VAR-202205-0132

CVE

CVE-2022-26890

TITLE

plural F5 Networks Product Consistently Improper Control Flow Implementation Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-010267

DESCRIPTION

On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. F5 BIG-IP Advanced WAF , ASM , APM has always been vulnerable to improper control flow implementation.Service operation interruption (DoS) It may be in a state. F5 BIG-IP is an application delivery platform of F5 that integrates functions such as network traffic orchestration, load balancing, intelligent DNS, and remote access policy management. F5 BIG-IP has a security vulnerability that can be exploited by an attacker to cause a denial of service on the BIG-IP system

Trust: 1.8

sources: NVD: CVE-2022-26890 // JVNDB: JVNDB-2022-010267 // VULHUB: VHN-419860 // VULMON: CVE-2022-26890

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	15.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	16.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	16.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	16.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	16.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	14.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.1.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	15.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	15.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	eq	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-010267 // NVD: CVE-2022-26890

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-26890
value:	HIGH
Trust: 1.0
f5sirt@f5.com:	CVE-2022-26890
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-26890
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202205-2079
value:	HIGH
Trust: 0.6
VULHUB:	VHN-419860
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-26890
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-26890
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-419860
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-26890
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2022-010267
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-419860 // VULMON: CVE-2022-26890 // JVNDB: JVNDB-2022-010267 // CNNVD: CNNVD-202205-2079 // NVD: CVE-2022-26890 // NVD: CVE-2022-26890

PROBLEMTYPE DATA

problemtype:	CWE-670	Trust: 1.1
problemtype:	Consistently bad control flow implementation (CWE-670) [ others ]	Trust: 0.8

sources: VULHUB: VHN-419860 // JVNDB: JVNDB-2022-010267 // NVD: CVE-2022-26890

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-2079

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202205-2079

PATCH

title:	K03442392	url:	https://my.f5.com/manage/s/article/K03442392	Trust: 0.8
title:	Multiple F5 BIG-IP Product security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=191831	Trust: 0.6

sources: JVNDB: JVNDB-2022-010267 // CNNVD: CNNVD-202205-2079

EXTERNAL IDS

db:	NVD	id:	CVE-2022-26890	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-010267	Trust: 0.8
db:	CNNVD	id:	CNNVD-202205-2079	Trust: 0.6
db:	CNVD	id:	CNVD-2022-77523	Trust: 0.1
db:	VULHUB	id:	VHN-419860	Trust: 0.1
db:	VULMON	id:	CVE-2022-26890	Trust: 0.1

sources: VULHUB: VHN-419860 // VULMON: CVE-2022-26890 // JVNDB: JVNDB-2022-010267 // CNNVD: CNNVD-202205-2079 // NVD: CVE-2022-26890

REFERENCES

url:	https://support.f5.com/csp/article/k03442392	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-26890	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-26890/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-38241	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/670.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-419860 // VULMON: CVE-2022-26890 // JVNDB: JVNDB-2022-010267 // CNNVD: CNNVD-202205-2079 // NVD: CVE-2022-26890

SOURCES

db:	VULHUB	id:	VHN-419860
db:	VULMON	id:	CVE-2022-26890
db:	JVNDB	id:	JVNDB-2022-010267
db:	CNNVD	id:	CNNVD-202205-2079
db:	NVD	id:	CVE-2022-26890

LAST UPDATE DATE

2024-11-23T22:36:50.013000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-419860	date:	2022-05-13T00:00:00
db:	VULMON	id:	CVE-2022-26890	date:	2022-05-13T00:00:00
db:	JVNDB	id:	JVNDB-2022-010267	date:	2023-08-14T06:54:00
db:	CNNVD	id:	CNNVD-202205-2079	date:	2022-05-16T00:00:00
db:	NVD	id:	CVE-2022-26890	date:	2024-11-21T06:54:44.650

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-419860	date:	2022-05-05T00:00:00
db:	VULMON	id:	CVE-2022-26890	date:	2022-05-05T00:00:00
db:	JVNDB	id:	JVNDB-2022-010267	date:	2023-08-14T00:00:00
db:	CNNVD	id:	CNNVD-202205-2079	date:	2022-05-04T00:00:00
db:	NVD	id:	CVE-2022-26890	date:	2022-05-05T17:15:12.390