Researchers at Praetorian first discovered the authentication bypass flaw in BIG-IP's configuration utility and published their findings this week of what is the third major RCE bug to impact BIG-IP since 2020.

F5's advisory indicated that no other products other than BIG-IP (all modules) are affected by the vulnerability. The following versions are vulnerable and should be upgraded to the latest version:All affected versions now have hotfixes and should be upgraded as soon as possible.

"We went to report to F5 at the beginning of the month and had some back and forth with them over the disclosure timeline," Weber."We're not in a rush, we figured it would take a month or two to disclose, but they wanted to publish it in February 2024. headtopics.com

"Then last night at 8PM ET, we get an email that they're dropping the advisory and hotfix in 16 hours. We asked why and were told 'we believe this vulnerability is now known outside of F5 and Praetorian thus forcing our hands at an immediate disclosure'."

However, they did reveal that the issue is defined as an Apache JServ Protocol (AJP) smuggling vulnerability. While it's not an operating system that has reached EOL, being launched in 2018 makes it a bit old by software standards, an observation that prompted the researchers to investigate other core components for issues. headtopics.com

They were able to confirm that the F5 device used an AJP connector on Tomcat, which is a prerequisite for exploiting CVE-2022-26377, the researchersFrom there, they could achieve RCE with root privileges, but full details of how they got to that stage will come after they deem enough time has passed to allow for the hotfixes to be applied.

