Vulnerability Details : CVE-2021-22989
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, when running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
Products affected by CVE-2021-22989
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 16.0.0 and before (<) 16.0.1.1cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 12.1.0 and before (<) 12.1.5.3cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 15.1.0 and before (<) 15.1.2.1cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 11.6.1 and before (<) 11.6.5.3cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 13.1.0 and before (<) 13.1.3.6cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 13.1.0 and before (<) 13.1.3.6cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 15.1.0 and before (<) 15.1.2.1cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 16.0.0 and before (<) 16.0.1.1cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 11.6.1 and before (<) 11.6.5.3cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 14.1.0 and before (<) 14.1.4cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 12.1.0 and before (<) 12.1.5.3cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 16.0.0 and before (<) 16.0.1.1cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 12.1.0 and before (<) 12.1.5.3cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 13.1.0 and before (<) 13.1.3.6cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 14.1.0 and before (<) 14.1.4cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 11.6.1 and before (<) 11.6.5.3cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 15.1.0 and before (<) 15.1.2.1cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-22989
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-22989
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
2.3
|
6.0
|
NIST |
References for CVE-2021-22989
-
https://support.f5.com/csp/article/K56142644
Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989Vendor Advisory
Jump to