Please see Security Advisories for the week ending May 6, 2022
• F5 Releases Security Advisories Addressing Multiple Vulnerabilities
• Cisco Releases Security Updates for Enterprise NFV Infrastructure Software
• Mozilla Releases Security Updates for Firefox and Firefox ESR
_______________________________
F5 Releases Security Advisories Addressing Multiple Vulnerabilities
Situation
F5 has released security advisories on vulnerabilities affecting multiple products, including various versions of BIG-IP.
Problem
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
Implication
An attacker could exploit this vulnerability to take control or damage an affected system.
Need
CISA encourages users and administrators to review the F5 webpage, Overview of F5 vulnerabilities (May 2022), and apply the necessary updates or workarounds.
Important Links:
https://support.f5.com/csp/article/K23605346
https://support.f5.com/csp/article/K55879220
________________________________
Cisco Releases Security Updates for Enterprise NFV Infrastructure Software
Situation
Cisco has released security updates to address multiple vulnerabilities in Enterprise NFV Infrastructure Software
Problem
Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM.
Implication
This vulnerability is due to insufficient guest restrictions. An attacker could exploit this vulnerability by sending an API call from a VM that will execute with root level privileges on the NFVIS host. A successful exploit could allow the attacker compromise the NFVIS host completely.
Need
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. CISA encourages users and administrators to review the Cisco advisory and apply the necessary updates. For updates addressing lower security vulnerabilities, see the Cisco Security Advisory page.
Important Links:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-MUL-7DySRX9
https://tools.cisco.com/security/center/publicationListing.x
________________________________
Mozilla Releases Security Updates for Firefox and Firefox ESR
Situation
Mozilla has released security updates to address vulnerabilities found in Firefox and Firefox ESR
Problem
The vulnerabilities patched include iframe sandbox bypass, memory safety bugs, bypassing permission, leaking browser history, and more.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of an affected system.
Need
It is recommended that users and administrators to review the Mozilla Security Advisory for Firefox 100 and Firefox ESR 91.9 and apply the necessary updates.
Mozilla Firefox Security Advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-16/
Mozilla Firefox ESR Security Advisory
https://www.mozilla.org/en-US/security/advisories/mfsa2022-17/
________________________________