CVE-2022-29263: 
F5 BIG-IP Virtual Edition vulnerability analysis and mitigation

CVE-2022-29263 affects F5 BIG-IP APM and BIG-IP APM Clients. The vulnerability was discovered and disclosed on May 5, 2022, impacting BIG-IP APM versions 16.1.x prior to 16.1.2.2, 15.1.x prior to 15.1.5.1, 14.1.x prior to 14.1.4.6, 13.1.x prior to 13.1.5, all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5. The vulnerability stems from the BIG-IP Edge Client Component Installer Service not following best practices while saving temporary files (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is related to incorrect permission assignment for critical resources (CWE-732). The local attack vector requires low attack complexity and low privileges, with no user interaction needed (NVD).

The vulnerability can lead to high impacts on confidentiality, integrity, and availability of the affected systems. As the BIG-IP Edge Client Component Installer Service does not follow best practices for saving temporary files, this could potentially expose sensitive information or allow unauthorized modifications to the system (NVD).

F5 has released patched versions to address this vulnerability. Users should upgrade to BIG-IP APM version 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, or 13.1.5, and BIG-IP APM Clients should upgrade to version 7.2.1.5 or later. For systems that have reached End of Technical Support (EoTS), no patches will be provided (NVD, SecMaster).