CVE-2022-33947: 
F5 BIG-IP Virtual Edition vulnerability analysis and mitigation

A vulnerability (CVE-2022-33947) was discovered in BIG-IP DNS Traffic Management User Interface (TMUI) affecting versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x. The vulnerability was disclosed and assigned a CVE ID on July 19, 2022 (CVE Details).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). It received a CVSS v3.1 Base Score of 6.5 (MEDIUM) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, while F5 Networks assessed it with a score of 5.4 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (NVD).

The vulnerability allows an authenticated attacker with at least operator role privileges to cause the Tomcat process to restart and perform unauthorized DNS requests and operations through undisclosed requests (CVE Details).

The vulnerability has been addressed in newer versions of BIG-IP. Users should upgrade to version 16.1.3, 15.1.6.1, or 14.1.5 depending on their current version track. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated (CVE Details).