CVE-2021-22978

Q: What is the severity of CVE-2021-22978?

CVE-2021-22978 has a CVSS score of 8.3 (HIGH). This vulnerability is a reflected cross-site scripting (XSS) attack in the iControl REST interface of F5 BIG-IP devices. Attackers can craft malicious URLs that execute JavaScript in the browser of authenticated users, potentially leading to full system compromise if the victim has admin privileges. Affected versions include BIG-IP 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions.

8.3 HIGH

Cross-Site Scripting

📋 TL;DR

This vulnerability is a reflected cross-site scripting (XSS) attack in the iControl REST interface of F5 BIG-IP devices. Attackers can craft malicious URLs that execute JavaScript in the browser of authenticated users, potentially leading to full system compromise if the victim has admin privileges. Affected versions include BIG-IP 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, all 12.1.x and 11.6.x versions

Operating Systems: F5 TMOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects iControl REST endpoints. Software versions that have reached End of Software Development (EoSD) are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of BIG-IP system with administrative access, allowing attacker to steal credentials, modify configurations, intercept traffic, or deploy malware.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized configuration changes by tricking authenticated users into clicking malicious links.

🟢

If Mitigated

Limited impact if proper access controls, network segmentation, and user awareness training are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires social engineering to trick authenticated users into clicking malicious links. Attack is reflected through vulnerable iControl REST endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5

Vendor Advisory: https://support.f5.com/csp/article/K87502622

Restart Required: Yes

Instructions:

1. Download appropriate patch from F5 Downloads site. 2. Backup current configuration. 3. Apply patch using F5 upgrade procedures. 4. Restart system. 5. Verify version after restart.

🔧 Temporary Workarounds

Restrict iControl REST Access

all

Limit access to iControl REST interface to trusted networks only using firewall rules or BIG-IP access policies.

tmsh modify /sys httpd allow replace-all-with { trusted_networks }

Implement Content Security Policy

all

Add Content Security Policy headers to mitigate XSS impact.

tmsh modify /sys httpd include "Content-Security-Policy: default-src 'self'"

🧯 If You Can't Patch

Implement strict network segmentation to isolate BIG-IP management interfaces
Enforce strong authentication and session management controls

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version using 'tmsh show sys version' and compare against affected versions list.

Check Version:

tmsh show sys version | grep Version

Verify Fix Applied:

Verify version is 16.0.1 or higher, 15.1.1 or higher, 14.1.3.1 or higher, or 13.1.3.5 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual iControl REST endpoint access patterns
Suspicious URL parameters in HTTP logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Malicious JavaScript payloads in HTTP requests to iControl REST endpoints
Unusual outbound connections from BIG-IP management interface

SIEM Query:

source="bigip_logs" AND (url="*iControl*" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2021-22978

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: February 12, 2021

Last Updated: November 21, 2024

🔗 References

https://support.f5.com/csp/article/K87502622 Vendor Advisory
https://support.f5.com/csp/article/K87502622 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5