CVE-2024-21782

Name of the Vulnerable Software and Affected Versions BIG-IP versions prior to the fixed version BIG-IQ versions prior to the fixed version

Description The issue allows BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced shell (bash) to execute arbitrary commands with a specially crafted command string. This is due to an incomplete fix for a previous issue. The vulnerability is also related to an unlimited file upload of dangerous types in various BIG-IP modules, including Access Policy Manager, Advanced Firewall Manager, and others. Exploitation of the vulnerability may allow an attacker to execute arbitrary commands.

Recommendations For BIG-IP versions prior to the fixed version, consider disabling the scp utility until a patch is available. For BIG-IQ versions prior to the fixed version, consider restricting access to the scp utility until a patch is available. As a temporary workaround, consider limiting the upload of files to prevent exploitation of the unlimited file upload vulnerability in affected BIG-IP modules. At the moment, there is no information about a newer version that contains a fix for this vulnerability.