In certain F5 BIG-IP versions, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
The following versions of F5 BIG-IP are affected:
This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.
Please note that if you run an affected version but your management UI is not exposed publicly the risk is significantly reduced of this vulnerability being exploitable. Patching ASAP is still recommended to prevent internal exploitation.
If the F5 security advisory lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
If it is not possible to upgrade at this time, F5 have suggested a number of temporary mitigations in their security advisory.