BIG-IP Configuration utility authenticated SQL injection - 20231101001¶
Overview¶
An authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses may be able to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.
F5 has observed threat actors using this vulnerability in combination with CVE-2023-46747.
F5 have updated their advisory to include indicators of compromise - Please see the Recommendation section for details.
What is the vulnerability?¶
CVE-2023-46748 - CVSS v3 Base Score: 8.8
What is vulnerable?¶
The vulnerability affects the following product from F5:
- BIG-IP
- affected from 17.1.0
- unaffected from Hotfix-BIGIP-17.1.0.3.0.75.4-ENG.iso
- affected from 16.1.0
- unaffected from Hotfix-BIGIP-16.1.4.1.0.50.5-ENG.iso
- affected from 15.1.0
- unaffected from Hotfix-BIGIP-15.1.10.2.0.44.2-ENG.iso
- affected from 14.1.0
- unaffected from Hotfix-BIGIP-14.1.5.6.0.10.6-ENG.iso
- affected from 13.1.0
- 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG.iso
- affected from 17.1.0
What has been observed?¶
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 2 weeks (refer Patch Management):
Review your environment for indicators of compromise:
F5 has observed threat actors using this vulnerability in combination with CVE-2023-46747. Below are the indicators of compromise observed with CVE-2023-46748.
You may see entries in the /var/log/tomcat/catalina.out file similar to the following example:
In the previous example, note the following:
In the line of Column not found: 0, the 0 can be replaced with a different number.
In the line of