CVE-2023-22326

Name of the Vulnerable Software and Affected Versions BIG-IP versions 13.1.x through 17.0.x before 17.0.0.2 BIG-IP versions 14.1.x before 14.1.5.3 BIG-IP versions 15.1.x before 15.1.8.1 BIG-IP versions 16.1.x before 16.1.3.3 BIG-IQ versions 7.1.x BIG-IQ versions 8.x

Description The issue is related to incorrect permission assignment vulnerabilities in the iControl REST and TMOS shell (tmsh) dig command. This may allow an authenticated attacker with resource administrator or administrator role privileges to view sensitive information. The vulnerability is also associated with errors in data processing in BIG-IP Access Policy Manager, BIG-IP Advanced Firewall Manager, BIG-IP Analytics, BIG-IP Application Acceleration Manager, BIG-IP Application Security Manager, BIG-IP Hybrid Defender, BIG-IP Domain Name System, BIG-IP Fraud Protection Service, BIG-IP Link Controller, BIG-IP Local Traffic Manager, BIG-IP Policy Enforcement Manager, and BIG-IP Orchestrator.

Recommendations For BIG-IP versions 13.1.x, update to a version after 17.0.0.2 or apply the recommended patch. For BIG-IP versions 14.1.x before 14.1.5.3, update to version 14.1.5.3 or later. For BIG-IP versions 15.1.x before 15.1.8.1, update to version 15.1.8.1 or later. For BIG-IP versions 16.1.x before 16.1.3.3, update to version 16.1.3.3 or later. For BIG-IP versions 17.0.x before 17.0.0.2, update to version 17.0.0.2 or later. For BIG-IQ versions 7.1.x and 8.x, update to a version that is not affected by the vulnerability. As a temporary workaround, consider restricting access to the iControl REST and TMOS shell (tmsh) dig command until a patch is available.