CVE-2021-22985
📋 TL;DR
This vulnerability allows authenticated VPN users on BIG-IP APM to cause excessive memory consumption in the Traffic Management Microkernel (TMM), potentially leading to a denial-of-service condition. It affects BIG-IP APM version 16.0.x before 16.0.1.1. Systems with VPN configurations using APM are vulnerable when processing VPN traffic under certain conditions.
💻 Affected Systems
- F5 BIG-IP APM
📦 What is this software?
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for APM services, disrupting VPN connectivity and potentially affecting other BIG-IP services due to memory exhaustion.
Likely Case
Degraded APM performance and intermittent VPN connectivity issues due to memory pressure on the TMM process.
If Mitigated
Minimal impact with proper access controls and monitoring in place to detect and block malicious VPN sessions.
🎯 Exploit Status
Requires authenticated VPN access and specific conditions when processing VPN traffic. The vulnerability is triggered under certain memory handling conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.1.1 or later
Vendor Advisory: https://support.f5.com/csp/article/K88162221
Restart Required: Yes
Instructions:
1. Download the appropriate hotfix from F5 Downloads. 2. Upload the hotfix to the BIG-IP system. 3. Install the hotfix using the WebUI or CLI. 4. Reboot the system to complete the installation.
🔧 Temporary Workarounds
Restrict VPN Access
allLimit VPN access to trusted users only and implement strict authentication controls.
Monitor TMM Memory Usage
linuxImplement monitoring for TMM process memory consumption and alert on abnormal patterns.
tmsh show sys proc-info tmm.0 | grep -i memory
🧯 If You Can't Patch
- Implement strict VPN user access controls and monitoring
- Consider disabling VPN functionality if not essential
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version with 'tmsh show sys version' and verify if running 16.0.x before 16.0.1.1 with APM enabled.Check Version:
tmsh show sys versionVerify Fix Applied:
Verify version is 16.0.1.1 or later with 'tmsh show sys version' and check APM configuration status.📡 Detection & Monitoring
Log Indicators:
- High TMM memory usage in /var/log/ltm
- APM VPN session anomalies in /var/log/apm
Network Indicators:
- Unusual VPN traffic patterns
- Increased connection timeouts for VPN users
SIEM Query:
source="bigip" ("TMM" AND "memory") OR ("APM" AND "VPN" AND "error")