This time, in its quarterly security advisory, F5 listed nearly two dozen vulnerabilities hidden in updates to the Big IP product line and the nginx web server. The range of severity ranges from 3.8 to 8.7 CVSS points and therefore from “low” to “high”.
Advertisement
The most serious gap is in “iControl Rest”, the automation interface in Big-IP. An attacker with admin privileges can issue arbitrary bash commands and thus compromise the load balancer. The bug with CVE ID 2024-22093 is of high severity; Big IP versions 15.1.0 to 15.1.8, 16.1.0 to 16.1.3 and 17.1.0 are vulnerable. Versions 17.1.1, 16.1.4 and 15.1.9 incremented by 1 fix the code smuggling vulnerability.
The F5 developers discovered and fixed another twenty problems in, among other things, the “Advanced WAF” and the “Advanced Firewall Manager” (AFM). The Overview on the F5 website lists product names and versions as well as vulnerability severity levels.
nginx tired, nginx sleeping
In addition to the big IP load balancer, F5 has also been the owner of nginx for almost five years. Two security problems have also been noticed in the open source web server and its commercial counterpart “nginx plus” that affect the processing of HTTP/3 QUIC. Both CVE-2024-24989 and CVE-2024-24990 are denial of service flaws that allow an attacker to specifically crash nginx. They first appeared in the open source version of nginx in version 1.25.0 and were fixed in 1.25.4; “nginx plus” fixes the bugs in versions R31 P1 and R30 P2.
Just recently, one of the main developers of the nginx web server expressed his dissatisfaction with F5’s support and announced a fork called “freenginx”. Maxim Dounin said he wanted to free the project from the company’s arbitrariness.
(cku)