Security Advisory Description
On May 3, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.
Distributed Cloud and Managed Services
| Service | Status |
| F5 Distributed Cloud Services | Does not affect or has been resolved |
| Silverline | Does not affect or has been resolved |
High CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
| K000133417: NGINX Management Suite vulnerability CVE-2023-28656 | 8.1 | NGINX Instance Manager | 2.0.0 – 2.8.0 | 2.9.0 |
| NGINX API Connectivity Manager | 1.0.0 – 1.4.1 | 1.5.0 | ||
| NGINX Security Monitoring | 1.0.0 – 1.2.0 | 1.3.0 | ||
| K20145107: BIG-IP UDP profile vulnerability CVE-2023-29163 | 7.5 | BIG-IP (all modules) | 17.0.0 16.1.2.2 – 16.1.3.3 15.1.5.1 – 15.1.8.1 14.1.4.6 – 14.1.5.3 | 17.1.0 16.1.3.4 15.1.8.2 14.1.5.4 |
| K000132726: BIG-IP Configuration utility XSS vulnerability CVE-2023-27378 | 7.5 | BIG-IP (all modules) | 17.0.0 – 17.1.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0.1 16.1.3.4 15.1.8.2 14.1.5.4 |
| K000132539: BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-24461 | 7.4 | BIG-IP (APM) | 17.0.0 – 17.1.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | None |
| BIG-IP APM Clients | 7.2.1 – 7.2.4 | 7.2.4.1 | ||
| K000132972: BIG-IP iQuery mesh vulnerability CVE-2023-28742 | 7.2 | BIG-IP (DNS) | 17.0.0 – 17.1.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0.1 16.1.3.4 15.1.8.2 14.1.5.4 |
| K000133233: NGINX Management Suite vulnerability CVE-2023-28724 | 7.1 | NGINX Instance Manager | 2.0.0 – 2.8.0 1.0.0 – 1.0.4 | 2.9.0 |
| NGINX API Connectivity Manager | 1.0.0 – 1.4.1 | 1.5.0 | ||
| NGINX Security Monitoring | 1.0.0 – 1.2.0 | 1.3.0 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Medium CVEs
| Article (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
| K000132522: BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-22372 | 5.9 | BIG-IP (APM) | 17.0.0 – 17.1.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | None |
| BIG-IP APM Clients | 7.2.2 – 7.2.4 | 7.2.4.1 | ||
| K000132719: BIG-IQ iControl REST vulnerability CVE-2023-29240 | 5.4 | BIG-IQ Centralized Management | 8.0.0 – 8.2.0 | 8.3.0 |
| K000133132: BIG-IP TMM SSL vulnerability CVE-2023-24594 | 5.3 | BIG-IP (all modules) | 16.1.2 15.1.4.1 14.1.5 | 17.0.0 16.1.2.1 15.1.5 |
| BIG-IP Next SPK | 1.5.0 | 1.6.0 | ||
| K000132768: BIG-IP Configuration utility vulnerability CVE-2023-28406 | 4.3 | BIG-IP (all modules) | 17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 | 17.1.0 16.1.3.4 15.1.8.2 14.1.5.4 |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Related Content
- K12201527: Overview of Quarterly Security Notifications
- K67091411: Guidance for Quarterly Security Notifications
- K84205182: BIG-IP update and upgrade guide | Chapter 1: Guide contents
- K41942608: Overview of AskF5 security advisory articles
- K4602: Overview of the F5 security vulnerability response policy
- K4918: Overview of the F5 critical issue hotfix policy
- K39757430: F5 product and services lifecycle policy index
- K9502: BIG-IP hotfix and point release matrix
- K13123: Managing BIG-IP product hotfixes (11.x – 17.x)
- K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later)
- K167: Downloading software and firmware from F5
- K9970: Subscribing to email notifications regarding F5 products
- K9957: Creating a custom RSS feed to view new and updated documents
- K27404821: Using F5 iHealth to diagnose vulnerabilities
Need help picking the best product for your business?
Contact us and someone will assist you shortly.
