CVE-2021-23035
📋 TL;DR
This vulnerability in F5 BIG-IP systems allows remote attackers to cause denial of service by sending specially crafted chunked HTTP responses. When exploited, it causes the Traffic Management Microkernel (TMM) to terminate, disrupting traffic management services. Affected systems are BIG-IP versions 14.1.x before 14.1.4.4 with HTTP profiles configured on virtual servers.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption with TMM termination, causing all traffic management functions to fail on affected virtual servers.
Likely Case
Intermittent service outages and performance degradation as TMM restarts after termination.
If Mitigated
Minimal impact with proper network segmentation and monitoring to detect and respond to TMM restarts.
🎯 Exploit Status
Requires specific sequence of packets to trigger the vulnerability. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.1.4.4 and later
Vendor Advisory: https://support.f5.com/csp/article/K70415522
Restart Required: Yes
Instructions:
1. Download the appropriate hotfix from F5 Downloads. 2. Upload the hotfix to the BIG-IP system. 3. Install the hotfix using the WebUI or CLI. 4. Reboot the system to complete installation.
🔧 Temporary Workarounds
Disable HTTP Profile
allRemove HTTP profile configuration from vulnerable virtual servers
tmsh modify ltm virtual <virtual_server_name> profiles delete { http }
Implement Rate Limiting
allConfigure rate limiting on virtual servers to reduce attack surface
tmsh create ltm profile rate-shaping <profile_name>
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems
- Deploy WAF or IPS to detect and block malicious chunked responses
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version and verify if HTTP profile is configured on any virtual server: tmsh list ltm virtual one-line | grep httpCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify system is running version 14.1.4.4 or later: tmsh show sys version📡 Detection & Monitoring
Log Indicators:
- TMM termination events in /var/log/ltm
- Unexpected TMM restarts in system logs
Network Indicators:
- Unusual chunked HTTP response patterns
- Sudden drops in traffic to specific virtual servers
SIEM Query:
source="*/var/log/ltm*" AND "TMM terminated" OR "TMM restart"