Vulnerability Name:

CVE-2022-26890 (CCN-225745)

Assigned:2022-05-04
Published:2022-05-04
Updated:2022-05-13
Summary:On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-670
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-26890

Source: XF
Type: UNKNOWN
f5-cve202226890-dos(225745)

Source: CCN
Type: F5 Security Advisory K03442392
BIG-IP ASM and Advanced WAF vulnerability CVE-2022-26890

Source: MISC
Type: Vendor Advisory
https://support.f5.com/csp/article/K03442392

Vulnerable Configuration:Configuration 1:
  • cpe:/a:f5:big-ip_access_policy_manager:13.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:13.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:14.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:14.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:15.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:15.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:14.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:14.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:14.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:13.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:13.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:13.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:13.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:14.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:14.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:15.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:15.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:15.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:15.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:15.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:16.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:16.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:16.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:15.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:15.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:16.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:16.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:16.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:16.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:13.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:13.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:13.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:13.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:14.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:14.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:15.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:15.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_security_manager:15.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:13.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:13.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:13.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:13.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:13.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:14.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:14.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:14.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:16.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_advanced_web_application_firewall:16.1.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:f5:big-ip:13.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip:14.1.0:*:*:*:*:*:*:*
  • OR cpe:/o:f5:big-ip:15.1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    f5 big-ip access policy manager 13.1.0
    f5 big-ip application security manager 13.1.0
    f5 big-ip access policy manager 14.1.0
    f5 big-ip application security manager 14.1.0
    f5 big-ip application security manager 15.1.0
    f5 big-ip access policy manager 15.1.0
    f5 big-ip advanced web application firewall 15.1.0
    f5 big-ip access policy manager 14.1.4
    f5 big-ip advanced web application firewall 14.1.4
    f5 big-ip application security manager 14.1.4
    f5 big-ip access policy manager 13.1.1
    f5 big-ip access policy manager 13.1.3
    f5 big-ip access policy manager 13.1.4
    f5 big-ip access policy manager 13.1.5
    f5 big-ip access policy manager 14.1.2
    f5 big-ip access policy manager 14.1.3
    f5 big-ip access policy manager 15.1.1
    f5 big-ip access policy manager 15.1.2
    f5 big-ip access policy manager 15.1.3
    f5 big-ip access policy manager 15.1.4
    f5 big-ip access policy manager 15.1.5
    f5 big-ip access policy manager 16.1.0
    f5 big-ip access policy manager 16.1.1
    f5 big-ip access policy manager 16.1.2
    f5 big-ip application security manager 15.1.4
    f5 big-ip application security manager 15.1.5
    f5 big-ip application security manager 16.1.0
    f5 big-ip application security manager 16.1.1
    f5 big-ip application security manager 16.1.2
    f5 big-ip advanced web application firewall 16.1.0
    f5 big-ip application security manager 13.1.1
    f5 big-ip application security manager 13.1.3
    f5 big-ip application security manager 13.1.4
    f5 big-ip application security manager 13.1.5
    f5 big-ip application security manager 14.1.2
    f5 big-ip application security manager 14.1.3
    f5 big-ip application security manager 15.1.1
    f5 big-ip application security manager 15.1.2
    f5 big-ip application security manager 15.1.3
    f5 big-ip advanced web application firewall 13.1.0
    f5 big-ip advanced web application firewall 13.1.1
    f5 big-ip advanced web application firewall 13.1.3
    f5 big-ip advanced web application firewall 13.1.4
    f5 big-ip advanced web application firewall 13.1.5
    f5 big-ip advanced web application firewall 14.1.0
    f5 big-ip advanced web application firewall 14.1.2
    f5 big-ip advanced web application firewall 14.1.3
    f5 big-ip advanced web application firewall 15.1.1
    f5 big-ip advanced web application firewall 15.1.2
    f5 big-ip advanced web application firewall 15.1.3
    f5 big-ip advanced web application firewall 15.1.4
    f5 big-ip advanced web application firewall 15.1.5
    f5 big-ip advanced web application firewall 16.1.1
    f5 big-ip advanced web application firewall 16.1.2
    f5 big-ip 13.1.0
    f5 big-ip 14.1.0
    f5 big-ip 15.1.0