What is the severity of CVE-2021-22974?

CVE-2021-22974 is rated as a critical severity vulnerability that could allow an authenticated attacker to execute commands on the affected systems.

How do I fix CVE-2021-22974?

To fix CVE-2021-22974, you should upgrade affected softwares to the latest versions provided by F5, specifically versions 16.0.1.1 and above, 15.1.2 and above, 14.1.3.1 and above, or 13.1.3.6 and above.

Which F5 products are affected by CVE-2021-22974?

CVE-2021-22974 affects several F5 products including BIG-IP Access Policy Manager, Advanced Firewall Manager, and other module versions listed in the CVE report.

Can CVE-2021-22974 be exploited remotely?

No, CVE-2021-22974 requires authentication to iControl REST and therefore cannot be exploited remotely by unauthenticated users.

Is there a workaround for CVE-2021-22974?

Currently, the recommended approach is to apply the necessary updates as there are no documented workarounds for CVE-2021-22974.

Vulnerability/
CVE-2021-22974

high

7.5

CWE

362

12/2/2021

19/2/2021

CVE-2021-22974: Race Condition

First published: Fri Feb 12 2021(Updated: )

On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of BIG-IQ 7.x and 6.x, an authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level. This vulnerability is due to an incomplete fix for CVE-2017-6167. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

Credit: f5sirt@f5.com

Affected Software	Affected Version	How to fix
F5 BIG-IP Access Policy Manager	>=13.1.0<13.1.3.6
F5 BIG-IP Access Policy Manager	>=14.1.0<14.1.3.1
F5 BIG-IP Access Policy Manager	>=15.1.0<15.1.2
F5 BIG-IP Access Policy Manager	>=16.0.0<16.0.1.1
F5 BIG-IP Advanced Firewall Manager	>=13.1.0<13.1.3.5
F5 BIG-IP Advanced Firewall Manager	>=14.1.0<14.1.3.1
F5 BIG-IP Advanced Firewall Manager	>=15.1.0<15.1.2
F5 BIG-IP Advanced Firewall Manager	>=16.0.0<16.0.1.1
F5 BIG-IP Advanced Web Application Firewall	>=13.1.0<13.1.3.6
F5 BIG-IP Advanced Web Application Firewall	>=14.1.0<14.1.3.1
F5 BIG-IP Advanced Web Application Firewall	>=15.1.0<15.1.2
F5 BIG-IP Advanced Web Application Firewall	>=16.0.0<16.0.1.1
F5 BIG-IP Analytics	>=13.1.0<13.1.3.6
F5 BIG-IP Analytics	>=14.1.0<14.1.3.1
F5 BIG-IP Analytics	>=15.1.0<15.1.2
F5 BIG-IP Analytics	>=16.0.0<16.0.1.1
f5 big-ip application acceleration manager	>=13.1.0<13.1.3.6
f5 big-ip application acceleration manager	>=14.1.0<14.1.3.1
f5 big-ip application acceleration manager	>=15.1.0<15.1.2
f5 big-ip application acceleration manager	>=16.0.0<16.0.1.1
F5 BIG-IP Application Security Manager	>=13.1.0<13.1.3.6
F5 BIG-IP Application Security Manager	>=14.1.0<14.1.3.1
F5 BIG-IP Application Security Manager	>=15.1.0<15.1.2
F5 BIG-IP Application Security Manager	>=16.0.0<16.0.1.1
F5 BIG-IP DDoS Hybrid Defender	>=13.1.0<13.1.3.6
F5 BIG-IP DDoS Hybrid Defender	>=14.1.0<14.1.3.1
F5 BIG-IP DDoS Hybrid Defender	>=15.1.0<15.1.2
F5 BIG-IP DDoS Hybrid Defender	>=16.0.0<16.0.1.1
f5 big-ip domain name system	>=13.1.0<13.1.3.6
f5 big-ip domain name system	>=14.1.0<14.1.3.1
f5 big-ip domain name system	>=15.1.0<15.1.2
f5 big-ip domain name system	>=16.0.0<16.0.1.1
f5 big-ip fraud protection service	>=13.1.0<13.1.3.5
f5 big-ip fraud protection service	>=14.1.0<14.1.3.1
f5 big-ip fraud protection service	>=15.1.0<15.1.2
f5 big-ip fraud protection service	>=16.0.0<16.0.1.1
F5 BIG-IP Global Traffic Manager	>=13.1.0<13.1.3.6
F5 BIG-IP Global Traffic Manager	>=14.1.0<14.1.3.1
F5 BIG-IP Global Traffic Manager	>=15.1.0<15.1.2
F5 BIG-IP Global Traffic Manager	>=16.0.0<16.0.1.1
f5 big-ip link controller	>=13.1.0<13.1.3.6
f5 big-ip link controller	>=14.1.0<14.1.3.1
f5 big-ip link controller	>=15.1.0<15.1.2
f5 big-ip link controller	>=16.0.0<16.0.1.1
F5 BIG-IP Local Traffic Manager	>=13.1.0<13.1.3.6
F5 BIG-IP Local Traffic Manager	>=14.1.0<14.1.3.1
F5 BIG-IP Local Traffic Manager	>=15.1.0<15.1.2
F5 BIG-IP Local Traffic Manager	>=16.0.0<16.0.1.1
F5 BIG-IP Policy Enforcement Manager	>=13.1.0<13.1.3.6
F5 BIG-IP Policy Enforcement Manager	>=14.1.0<14.1.3.1
F5 BIG-IP Policy Enforcement Manager	>=15.1.0<15.1.2
F5 BIG-IP Policy Enforcement Manager	>=16.0.0<16.0.1.1
F5 BIG-IP SSL Orchestrator	>=13.1.0<13.1.3.6
F5 BIG-IP SSL Orchestrator	>=14.1.0<14.1.3.1
F5 BIG-IP SSL Orchestrator	>=15.1.0<15.1.2
F5 BIG-IP SSL Orchestrator	>=16.0.0<16.0.1.1
F5 BIG-IQ Centralized Management	>=6.0.0<=6.1.0
F5 BIG-IQ Centralized Management	>=7.0.0<=7.1.0

Never miss a vulnerability like this again

Reference Links

https://support.f5.com/csp/article/K68652018

Frequently Asked Questions

What is the severity of CVE-2021-22974?
CVE-2021-22974 is rated as a critical severity vulnerability that could allow an authenticated attacker to execute commands on the affected systems.
How do I fix CVE-2021-22974?
To fix CVE-2021-22974, you should upgrade affected softwares to the latest versions provided by F5, specifically versions 16.0.1.1 and above, 15.1.2 and above, 14.1.3.1 and above, or 13.1.3.6 and above.
Which F5 products are affected by CVE-2021-22974?
CVE-2021-22974 affects several F5 products including BIG-IP Access Policy Manager, Advanced Firewall Manager, and other module versions listed in the CVE report.
Can CVE-2021-22974 be exploited remotely?
No, CVE-2021-22974 requires authentication to iControl REST and therefore cannot be exploited remotely by unauthenticated users.
Is there a workaround for CVE-2021-22974?
Currently, the recommended approach is to apply the necessary updates as there are no documented workarounds for CVE-2021-22974.

agent/weakness
agent/event
agent/type
agent/references
agent/severity
agent/author
agent/description
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/f5
canonical/f5 big-ip access policy manager
version/f5 big-ip access policy manager/13.1.0
version/f5 big-ip access policy manager/14.1.0
version/f5 big-ip access policy manager/15.1.0
version/f5 big-ip access policy manager/16.0.0
canonical/f5 big-ip advanced firewall manager
version/f5 big-ip advanced firewall manager/13.1.0
version/f5 big-ip advanced firewall manager/14.1.0
version/f5 big-ip advanced firewall manager/15.1.0
version/f5 big-ip advanced firewall manager/16.0.0
canonical/f5 big-ip advanced web application firewall
version/f5 big-ip advanced web application firewall/13.1.0
version/f5 big-ip advanced web application firewall/14.1.0
version/f5 big-ip advanced web application firewall/15.1.0
version/f5 big-ip advanced web application firewall/16.0.0
canonical/f5 big-ip analytics
version/f5 big-ip analytics/13.1.0
version/f5 big-ip analytics/14.1.0
version/f5 big-ip analytics/15.1.0
version/f5 big-ip analytics/16.0.0
canonical/f5 big-ip application acceleration manager
version/f5 big-ip application acceleration manager/13.1.0
version/f5 big-ip application acceleration manager/14.1.0
version/f5 big-ip application acceleration manager/15.1.0
version/f5 big-ip application acceleration manager/16.0.0
canonical/f5 big-ip application security manager
version/f5 big-ip application security manager/13.1.0
version/f5 big-ip application security manager/14.1.0
version/f5 big-ip application security manager/15.1.0
version/f5 big-ip application security manager/16.0.0
canonical/f5 big-ip ddos hybrid defender
version/f5 big-ip ddos hybrid defender/13.1.0
version/f5 big-ip ddos hybrid defender/14.1.0
version/f5 big-ip ddos hybrid defender/15.1.0
version/f5 big-ip ddos hybrid defender/16.0.0
canonical/f5 big-ip domain name system
version/f5 big-ip domain name system/13.1.0
version/f5 big-ip domain name system/14.1.0
version/f5 big-ip domain name system/15.1.0
version/f5 big-ip domain name system/16.0.0
canonical/f5 big-ip fraud protection service
version/f5 big-ip fraud protection service/13.1.0
version/f5 big-ip fraud protection service/14.1.0
version/f5 big-ip fraud protection service/15.1.0
version/f5 big-ip fraud protection service/16.0.0
canonical/f5 big-ip global traffic manager
version/f5 big-ip global traffic manager/13.1.0
version/f5 big-ip global traffic manager/14.1.0
version/f5 big-ip global traffic manager/15.1.0
version/f5 big-ip global traffic manager/16.0.0
canonical/f5 big-ip link controller
version/f5 big-ip link controller/13.1.0
version/f5 big-ip link controller/14.1.0
version/f5 big-ip link controller/15.1.0
version/f5 big-ip link controller/16.0.0
canonical/f5 big-ip local traffic manager
version/f5 big-ip local traffic manager/13.1.0
version/f5 big-ip local traffic manager/14.1.0
version/f5 big-ip local traffic manager/15.1.0
version/f5 big-ip local traffic manager/16.0.0
canonical/f5 big-ip policy enforcement manager
version/f5 big-ip policy enforcement manager/13.1.0
version/f5 big-ip policy enforcement manager/14.1.0
version/f5 big-ip policy enforcement manager/15.1.0
version/f5 big-ip policy enforcement manager/16.0.0
canonical/f5 big-ip ssl orchestrator
version/f5 big-ip ssl orchestrator/13.1.0
version/f5 big-ip ssl orchestrator/14.1.0
version/f5 big-ip ssl orchestrator/15.1.0
version/f5 big-ip ssl orchestrator/16.0.0
canonical/f5 big-iq centralized management
version/f5 big-iq centralized management/6.0.0
version/f5 big-iq centralized management/6.1.0
version/f5 big-iq centralized management/7.0.0
version/f5 big-iq centralized management/7.1.0

CVE-2021-22974: Race Condition

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2021-22974?

How do I fix CVE-2021-22974?

Which F5 products are affected by CVE-2021-22974?

Can CVE-2021-22974 be exploited remotely?

Is there a workaround for CVE-2021-22974?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2021-22974?

How do I fix CVE-2021-22974?

Which F5 products are affected by CVE-2021-22974?

Can CVE-2021-22974 be exploited remotely?

Is there a workaround for CVE-2021-22974?