CVE-2021-23044
📋 TL;DR
This vulnerability affects F5 BIG-IP devices using Intel QAT compression, where specific network traffic can cause the Traffic Management Microkernel (TMM) to crash, leading to denial of service. Affected systems include BIG-IP hardware and Virtual Edition platforms running vulnerable versions. The vulnerability impacts availability but does not allow code execution or data theft.
💻 Affected Systems
- F5 BIG-IP hardware platforms
- F5 BIG-IP Virtual Edition (VE)
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption as TMM terminates, causing all traffic management functions to fail until system restart.
Likely Case
Intermittent service outages when specific traffic patterns trigger the vulnerability, requiring manual intervention to restore services.
If Mitigated
Minimal impact if QAT compression is disabled or systems are patched, with potential performance degradation if compression is disabled.
🎯 Exploit Status
Exploitation requires sending specific network traffic to vulnerable systems. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.1.0, 15.1.3.1, 14.1.4.2, 13.1.4.1
Vendor Advisory: https://support.f5.com/csp/article/K35408374
Restart Required: Yes
Instructions:
1. Download appropriate patch from F5 Downloads. 2. Backup configuration. 3. Apply patch following F5 upgrade procedures. 4. Restart system to activate patch.
🔧 Temporary Workarounds
Disable QAT Compression
allDisable Intel QuickAssist Technology compression to prevent exploitation
tmsh modify sys db qat.compression.allow value disable
🧯 If You Can't Patch
- Implement network segmentation to restrict access to BIG-IP management interfaces
- Deploy intrusion prevention systems (IPS) to detect and block exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version and QAT compression status: tmsh show sys version and tmsh list sys db qat.compression.allowCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify version is patched: tmsh show sys version and confirm QAT compression is disabled or system is on fixed version📡 Detection & Monitoring
Log Indicators:
- TMM process termination logs
- System crash dumps
- High availability failover events
Network Indicators:
- Unusual traffic patterns to BIG-IP devices
- Sudden service interruptions
SIEM Query:
source="bigip" AND ("TMM terminated" OR "panic" OR "crash")