CVE-2021-23030 – This vulnerability in F5 BIG-IP Advanced WAF an... (How to Fix)

Q: What is the severity of CVE-2021-23030?

CVE-2021-23030 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP Advanced WAF and ASM allows remote attackers to cause a denial of service by sending specially crafted WebSocket requests to systems with WebSocket profiles configured. The bd process terminates, disrupting traffic processing. Affected users are those running vulnerable versions of BIG-IP Advanced WAF or ASM with WebSocket profiles enabled.

📋 TL;DR

This vulnerability in F5 BIG-IP Advanced WAF and ASM allows remote attackers to cause a denial of service by sending specially crafted WebSocket requests to systems with WebSocket profiles configured. The bd process terminates, disrupting traffic processing. Affected users are those running vulnerable versions of BIG-IP Advanced WAF or ASM with WebSocket profiles enabled.

💻 Affected Systems

Products:

F5 BIG-IP Advanced WAF
F5 BIG-IP ASM

Versions: 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, all versions of 12.1.x

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when WebSocket profile is configured on a virtual server. Versions 12.1.x have reached End of Technical Support.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for all traffic passing through the affected virtual server, requiring manual intervention to restore service.

🟠

Likely Case

Intermittent service disruptions affecting WebSocket-enabled applications, with automatic process restarts potentially restoring service after delays.

🟢

If Mitigated

Minimal impact if WebSocket profiles are disabled or if traffic filtering blocks malicious WebSocket requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific WebSocket requests to vulnerable configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1

Vendor Advisory: https://support.f5.com/csp/article/K42051445

Restart Required: Yes

Instructions:

1. Download appropriate fixed version from F5 Downloads. 2. Backup configuration. 3. Install update following F5 upgrade procedures. 4. Restart services as required.

🔧 Temporary Workarounds

Disable WebSocket Profiles

all

Remove WebSocket profiles from virtual servers to eliminate vulnerability vector.

tmsh modify ltm virtual <virtual_server_name> profiles delete { <websocket_profile_name> }

Restrict WebSocket Traffic

all

Implement iRules or access policies to filter WebSocket connections from untrusted sources.

when HTTP_REQUEST { if { [HTTP::header exists "Upgrade"] && [HTTP::header "Upgrade"] equals "websocket" } { if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } { reject } } }

🧯 If You Can't Patch

Disable WebSocket profiles on all virtual servers immediately.
Implement network segmentation to restrict access to WebSocket-enabled services.

🔍 How to Verify

Check if Vulnerable:

Check if WebSocket profiles are configured: tmsh list ltm virtual one-line | grep websocket

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify installed version is patched: tmsh show sys version | grep -E "Version|Build"

📡 Detection & Monitoring

Log Indicators:

bd process termination messages in /var/log/ltm
Unexpected WebSocket connection attempts in ASM logs

Network Indicators:

Sudden drop in traffic to WebSocket-enabled services
Increased WebSocket handshake failures

SIEM Query:

source="/var/log/ltm" "bd.*terminated" OR source="/var/log/asm" "WebSocket.*malformed"

📊 Metadata

CVE ID: CVE-2021-23030

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: September 14, 2021

Last Updated: November 21, 2024

🔗 References

https://support.f5.com/csp/article/K42051445 Mitigation,Vendor Advisory
https://support.f5.com/csp/article/K42051445 Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23030, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WebSocket Profiles

Restrict WebSocket Traffic

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities