F5 BIG-IP and BIG-IQ Configuration Utility Vulnerability Allowing Access to Sensitive Information

A vulnerability exists in certain pages of the BIG-IP and BIG-IQ Configuration utilities. It may allow a low-privileged authenticated attacker to access undisclosed sensitive information. This issue affects BIG-IP versions 17.5.0 to 17.5.1, 17.1.0 to 17.1.2, and 16.1.0 to 16.1.6, as well as all BIG-IQ Centralized Management versions. The vulnerability arises from improper neutralization of data within XPath expressions, potentially leading to XPath injection.

Impact

Exploitation of this vulnerability could allow a low-privileged authenticated attacker with network access to the BIG-IP Configuration utility, via the management port or self-IP address, to view sensitive information. This issue is confined to the control plane, with no exposure on the data plane.

Remediation

Users can upgrade to BIG-IP versions 17.1.5.3 or 17.1.3. For BIG-IP 16.x, no fix is available, but users can upgrade to a version with the fix. To restrict access to the vulnerable Configuration utility, management access can be limited to trusted users and devices over a secure network. For more information about securing access to BIG-IP, refer to the F5 articles K13092, K13309, and K46122561.