CVE-2021-22973
📋 TL;DR
This vulnerability in F5 BIG-IP's JSON parser allows attackers to perform out-of-bounds memory access or writes, potentially leading to remote code execution or denial of service. It affects BIG-IP versions 12.1.x through 16.0.x before specific patched versions. Organizations running vulnerable BIG-IP instances are at risk.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges, complete system compromise, and potential lateral movement within the network.
Likely Case
Denial of service causing BIG-IP service disruption, or information disclosure through memory leaks.
If Mitigated
Limited impact if network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
The vulnerability requires sending specially crafted JSON data to vulnerable endpoints. While no public PoC exists, memory corruption vulnerabilities in network devices are frequently exploited.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 (12.1.x has no patch - upgrade required)
Vendor Advisory: https://support.f5.com/csp/article/K13323323
Restart Required: Yes
Instructions:
1. Download appropriate patch from F5 Downloads. 2. Backup configuration. 3. Apply patch via F5 management interface or CLI. 4. Reboot system. 5. Verify version and functionality.
🔧 Temporary Workarounds
Restrict Access to Management Interfaces
allLimit network access to BIG-IP management interfaces to trusted IP addresses only
Configure firewall rules to restrict access to BIG-IP management IPs
Disable Unnecessary Services
allDisable any unnecessary JSON-based services or APIs on BIG-IP
Review and disable unused iControl REST endpoints and other JSON services
🧯 If You Can't Patch
- Implement strict network segmentation to isolate BIG-IP devices from untrusted networks
- Deploy intrusion prevention systems (IPS) with rules to detect and block JSON parser exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version via CLI: 'tmsh show sys version' or Web UI under System > Configuration > Device > GeneralCheck Version:
tmsh show sys version | grep VersionVerify Fix Applied:
Verify version is patched: 16.0.1.1 or higher, 15.1.2 or higher, 14.1.3.1 or higher, 13.1.3.5 or higher. 12.1.x requires upgrade to supported version.📡 Detection & Monitoring
Log Indicators:
- Unusual JSON parsing errors in /var/log/ltm
- Memory corruption warnings in system logs
- Unexpected process crashes
Network Indicators:
- Unusual JSON payloads to BIG-IP management or data plane interfaces
- Traffic patterns suggesting exploitation attempts
SIEM Query:
source="bigip_logs" AND ("json parser" OR "memory access" OR "out of bounds")