Security Advisory Description
On February 1, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these F5 vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.
Important: Customers who upgrade to 15.1.8 or 15.1.8.1 may experience future issues upgrading to 16.x or 17.x. For more information, refer to Bug ID 1161913: Upgrade from 15.1.8 or 15.1.8.1 to 16.x or 17.x fails, and leaves device INOPERATIVE.
Distributed Cloud and Managed Services
| Service | Status |
| F5 Distributed Cloud Services | Does not affect or has been resolved |
| Silverline | Does not affect or has been resolved |
| Threat Stack | Does not affect or has been resolved |
High CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
| K000130415: iControl SOAP vulnerability CVE-2023-22374 | 8.5 | BIG-IP (all modules) | 17.0.0 16.1.2.2 – 16.1.3 15.1.5.1 – 15.1.8 14.1.4.6 – 14.1.5 13.1.5 | None2 |
| K76964818: BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 | 7.8 | BIG-IP (APM) | 17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 | 17.0.0.2 |
| BIG-IP APM Clients | 7.2.2 – 7.2.3 | 7.2.4 7.2.3.1 | ||
| K08182564: BIG-IP SIP profile vulnerability CVE-2023-22842 | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 | 17.0.0 16.1.3.3 15.1.8.1 14.1.5.3 |
| K56412001: BIG-IP SSL OCSP Authentication profile vulnerability CVE-2023-22323 | 7.5 | BIG-IP (all modules) | 17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.7 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.0.0.2 |
| K46048342: BIG-IP AFM vulnerability CVE-2023-22281 | 7.5 | BIG-IP (all modules) | 17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.7 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.0.0.2 16.1.3.3 15.1.8 14.1.5.3 |
| K20717585: BIG-IP APM OAuth vulnerability CVE-2023-22341 | 7.5 | BIG-IP (APM) | 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 14.1.5.3 |
| K56676554: BIG-IP HTTP/2 profile vulnerability CVE-2023-22664 | 7.5 | BIG-IP (all modules) | 17.0.0 16.1.0 – 16.1.3 | 17.0.0.2 16.1.3.3 |
| BIG-IP SPK | 1.6.0 | None | ||
| K34525368: BIG-IP SIP profile vulnerability CVE-2023-22340 | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 16.1.3.3 15.1.8 14.1.5.3 |
| K17542533: BIG-IP Advanced WAF and ASM vulnerability CVE-2023-23552 | 7.5 | BIG-IP (ASM) | 17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.7 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.0.0.2 16.1.3.3 15.1.8 14.1.5.3 |
| K37708118: BIG-IP DNS profile vulnerability CVE-2023-22839 | 7.5 | BIG-IP (DNS, LTM with DNS Services license) | 17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.0.0.2 16.1.3.3 15.1.8.1 14.1.5.3 |
| K24572686: BIG-IP Virtual Edition vulnerability CVE-2023-23555 | 7.5 | BIG-IP (all modules) | 15.1.4 – 15.1.7 14.1.5 | 15.1.8 14.1.5.3 |
| BIG-IP SPK | 1.5.0 | 1.6.0 | ||
| K06345931: F5OS vulnerability CVE-2023-22657 | 7.5 | F5OS-A | 1.2.0 1.1.0 – 1.1.1 1.0.0 – 1.0.1 | 1.3.0 |
| F5OS-C | 1.3.0 – 1.3.2 | 1.5.0 | ||
| K43881487: HTTP profile vulnerability CVE-2023-22422 | 7.5 | BIG-IP (all modules) | 17.0.0 16.1.0 – 16.1.3 | 17.0.0.2 16.1.3.3 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
2F5 has fixed this issue in an engineering hotfix that is available for supported versions of the BIG-IP system. Customers affected by this issue can download the engineering hotfix for the latest supported versions of BIG-IP from the F5 Downloads site. For more information, refer to K167: Downloading software and firmware from F5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.
Medium CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
| K07143733: BIG-IP Edge Client for Windows vulnerability CVE-2023-22283 | 6.3 | BIG-IP (APM) | 17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | None |
| BIG-IP APM Clients | 7.1.5 – 7.2.3 | 7.2.4 7.2.3.1 | ||
| K95503300: BIG-IP APM virtual server vulnerability CVE-2023-22418 | 6.1 | BIG-IP (APM) | 17.0.0 16.1.0 -16.1.3 15.1.0 – 15.1.6 14.1.0 – 14.1.5 | 17.0.0.2 16.1.3.3 15.1.7 14.1.5.3 |
| K58550078: BIG-IP HTTP profile vulnerability CVE-2023-22302 | 5.9 | BIG-IP (all modules) | 17.0.0 16.1.2.2 -16.1.3 | 17.0.0.2 16.1.3.3 |
| K83284425: iControl REST and tmsh vulnerability CVE-2023-22326 | 4.9 | BIG-IP (all modules) | 17.0.0 16.1.0 -16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.0.0.2 16.1.3.3 15.1.8.1 14.1.5.3 |
| BIG-IQ Centralized Management | 8.0.0 – 8.2.0 7.1.0 | None |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Related Content
- K12201527: Overview of Quarterly Security Notifications
- K67091411: Guidance for Quarterly Security Notifications
- K84205182: BIG-IP update and upgrade guide | Chapter 1: Guide contents
- K41942608: Overview of AskF5 security advisory articles
- K4602: Overview of the F5 security vulnerability response policy
- K4918: Overview of the F5 critical issue hotfix policy
- K8986: F5 product support policies
- K9502: BIG-IP hotfix and point release matrix
- K13123: Managing BIG-IP product hotfixes (11.x – 17.x)
- K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later)
- K167: Downloading software and firmware from F5
- K9970: Subscribing to email notifications regarding F5 products
- K27404821: Using F5 iHealth to diagnose vulnerabilities
