Details of VAR-202208-0312

ID

VAR-202208-0312

CVE

CVE-2022-35243

TITLE

BIG-IP Vulnerability in privilege management in

Trust: 0.8

sources: JVNDB: JVNDB-2022-016714

DESCRIPTION

In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.5.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, using an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.8

sources: NVD: CVE-2022-35243 // JVNDB: JVNDB-2022-016714 // VULHUB: VHN-431572 // VULMON: CVE-2022-35243

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	16.1.3	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	15.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-016714 // NVD: CVE-2022-35243

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-35243
value:	CRITICAL
Trust: 1.0
f5sirt@f5.com:	CVE-2022-35243
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-35243
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202208-2059
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2022-35243
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	6.0
version:	3.1
Trust: 1.0
f5sirt@f5.com:	CVE-2022-35243
baseSeverity:	HIGH
baseScore:	8.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	5.8
version:	3.1
Trust: 1.0
NVD:	CVE-2022-35243
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-016714 // CNNVD: CNNVD-202208-2059 // NVD: CVE-2022-35243 // NVD: CVE-2022-35243

PROBLEMTYPE DATA

problemtype:	CWE-269	Trust: 1.1
problemtype:	Improper authority management (CWE-269) [ others ]	Trust: 0.8

sources: VULHUB: VHN-431572 // JVNDB: JVNDB-2022-016714 // NVD: CVE-2022-35243

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202208-2059

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202208-2059

PATCH

title:	K11010341	url:	https://my.f5.com/manage/s/article/K11010341	Trust: 0.8
title:	F5 BIG-IP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=203887	Trust: 0.6

sources: JVNDB: JVNDB-2022-016714 // CNNVD: CNNVD-202208-2059

EXTERNAL IDS

db:	NVD	id:	CVE-2022-35243	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-016714	Trust: 0.8
db:	AUSCERT	id:	ESB-2022.3876	Trust: 0.6
db:	CNNVD	id:	CNNVD-202208-2059	Trust: 0.6
db:	VULHUB	id:	VHN-431572	Trust: 0.1
db:	VULMON	id:	CVE-2022-35243	Trust: 0.1

sources: VULHUB: VHN-431572 // VULMON: CVE-2022-35243 // JVNDB: JVNDB-2022-016714 // CNNVD: CNNVD-202208-2059 // NVD: CVE-2022-35243

REFERENCES

url:	https://support.f5.com/csp/article/k11010341	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-35243	Trust: 0.8
url:	https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-38983	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-35243/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.3876	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/269.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-431572 // VULMON: CVE-2022-35243 // JVNDB: JVNDB-2022-016714 // CNNVD: CNNVD-202208-2059 // NVD: CVE-2022-35243

SOURCES

db:	VULHUB	id:	VHN-431572
db:	VULMON	id:	CVE-2022-35243
db:	JVNDB	id:	JVNDB-2022-016714
db:	CNNVD	id:	CNNVD-202208-2059
db:	NVD	id:	CVE-2022-35243

LAST UPDATE DATE

2024-08-14T14:31:02.551000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-431572	date:	2022-08-10T00:00:00
db:	VULMON	id:	CVE-2022-35243	date:	2022-08-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-016714	date:	2023-10-06T02:21:00
db:	CNNVD	id:	CNNVD-202208-2059	date:	2022-08-11T00:00:00
db:	NVD	id:	CVE-2022-35243	date:	2022-08-10T19:11:54.747

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-431572	date:	2022-08-04T00:00:00
db:	VULMON	id:	CVE-2022-35243	date:	2022-08-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-016714	date:	2023-10-06T00:00:00
db:	CNNVD	id:	CNNVD-202208-2059	date:	2022-08-03T00:00:00
db:	NVD	id:	CVE-2022-35243	date:	2022-08-04T18:15:10.680