Please see Security Advisories for the week ending May 6, 2022
• F5 Releases Security Advisories Addressing Multiple Vulnerabilities
• Cisco Releases Security Updates for Enterprise NFV Infrastructure Software
• Mozilla Releases Security Updates for Firefox and Firefox ESR
F5 Releases Security Advisories Addressing Multiple Vulnerabilities
F5 has released security advisories on vulnerabilities affecting multiple products, including various versions of BIG-IP.
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
An attacker could exploit this vulnerability to take control or damage an affected system.
CISA encourages users and administrators to review the F5 webpage, Overview of F5 vulnerabilities (May 2022), and apply the necessary updates or workarounds.
Cisco Releases Security Updates for Enterprise NFV Infrastructure Software
Cisco has released security updates to address multiple vulnerabilities in Enterprise NFV Infrastructure Software
Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM.
This vulnerability is due to insufficient guest restrictions. An attacker could exploit this vulnerability by sending an API call from a VM that will execute with root level privileges on the NFVIS host. A successful exploit could allow the attacker compromise the NFVIS host completely.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. CISA encourages users and administrators to review the Cisco advisory and apply the necessary updates. For updates addressing lower security vulnerabilities, see the Cisco Security Advisory page.
Mozilla Releases Security Updates for Firefox and Firefox ESR
Mozilla has released security updates to address vulnerabilities found in Firefox and Firefox ESR
The vulnerabilities patched include iframe sandbox bypass, memory safety bugs, bypassing permission, leaking browser history, and more.
If an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of an affected system.
It is recommended that users and administrators to review the Mozilla Security Advisory for Firefox 100 and Firefox ESR 91.9 and apply the necessary updates.
Mozilla Firefox Security Advisory:
Mozilla Firefox ESR Security Advisory