CVE-2021-23009

Q: What is the severity of CVE-2021-23009?

CVE-2021-23009 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP allows attackers to cause a denial of service by sending malformed HTTP/2 requests that trigger an infinite loop in the Traffic Management Microkernel (TMM). Only BIG-IP versions 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3 are affected, and the impact is limited to data plane traffic.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in F5 BIG-IP allows attackers to cause a denial of service by sending malformed HTTP/2 requests that trigger an infinite loop in the Traffic Management Microkernel (TMM). Only BIG-IP versions 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3 are affected, and the impact is limited to data plane traffic.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: 16.0.x before 16.0.1.1, 15.1.x before 15.1.3

Operating Systems: F5 TMOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects data plane traffic; control plane is not exposed. End-of-Technical-Support versions are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for all data plane traffic, forcing TMM process abortion and triggering configured high-availability failover actions.

🟠

Likely Case

Service disruption for HTTP/2 traffic, potentially causing application downtime until TMM restarts or failover completes.

🟢

If Mitigated

Minimal impact if systems are patched or workarounds are implemented; temporary service interruption during failover events.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed HTTP/2 requests to vulnerable BIG-IP systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.0.1.1 or 15.1.3

Vendor Advisory: https://support.f5.com/csp/article/K90603426

Restart Required: Yes

Instructions:

1. Download appropriate patch from F5 Downloads. 2. Backup configuration. 3. Apply patch following F5 upgrade procedures. 4. Restart TMM services.

🔧 Temporary Workarounds

Disable HTTP/2

all

Disable HTTP/2 protocol support to prevent exploitation via malformed HTTP/2 requests.

tmsh modify /ltm profile http http2 disabled

🧯 If You Can't Patch

Implement network filtering to block malformed HTTP/2 requests using WAF or IPS.
Monitor TMM process health and implement automated restart scripts for recovery.

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version with 'tmsh show sys version' and compare against affected versions.

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify version is 16.0.1.1 or higher for 16.0.x, or 15.1.3 or higher for 15.1.x.

📡 Detection & Monitoring

Log Indicators:

TMM process crashes or restarts in /var/log/ltm
High CPU usage patterns from TMM processes
HA failover events in system logs

Network Indicators:

Unusual HTTP/2 traffic patterns
Malformed HTTP/2 request attempts

SIEM Query:

source="*/var/log/ltm*" AND ("TMM" AND ("crash" OR "restart" OR "abort"))

📊 Metadata

CVE ID: CVE-2021-23009

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: May 10, 2021

Last Updated: November 21, 2024

🔗 References

https://support.f5.com/csp/article/K90603426 Vendor Advisory
https://support.f5.com/csp/article/K90603426 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Web Application Firewall by F5