CVE-2022-23015

Q: What is the severity of CVE-2022-23015?

CVE-2022-23015 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP systems causes memory exhaustion when specific SSL configurations are enabled. Attackers can trigger resource consumption leading to denial of service. Affected are BIG-IP systems running vulnerable versions with Client Certificate Authentication and Session Ticket enabled.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in F5 BIG-IP systems causes memory exhaustion when specific SSL configurations are enabled. Attackers can trigger resource consumption leading to denial of service. Affected are BIG-IP systems running vulnerable versions with Client Certificate Authentication and Session Ticket enabled.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.2.6-14.1.4.4

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Requires specific configuration: Client SSL profile with Client Certificate Authentication set to request/require AND Session Ticket enabled and configured.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to memory exhaustion causing denial of service for all services on the affected BIG-IP device.

🟠

Likely Case

Degraded performance and intermittent service disruptions as memory resources become constrained.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place, though some performance degradation may still occur during attack.

🌐 Internet-Facing: HIGH - Internet-facing virtual servers with the vulnerable configuration are directly exposed to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending SSL traffic to vulnerable configuration, which is straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.1.0, 15.1.4.1, or later versions

Vendor Advisory: https://support.f5.com/csp/article/K08476614

Restart Required: Yes

Instructions:

1. Download appropriate patch from F5 Downloads. 2. Backup configuration. 3. Apply patch following F5 upgrade procedures. 4. Reboot system. 5. Verify version and configuration.

🔧 Temporary Workarounds

Disable Session Tickets

all

Remove Session Ticket configuration from Client SSL profiles to mitigate vulnerability.

tmsh modify ltm profile client-ssl <profile_name> session-ticket disabled

Disable Client Certificate Authentication

all

Change Client Certificate Authentication setting to 'ignore' instead of 'request' or 'require'.

tmsh modify ltm profile client-ssl <profile_name> authenticate once

🧯 If You Can't Patch

Implement rate limiting on SSL connections to reduce impact
Monitor memory usage and set up alerts for abnormal consumption patterns

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version with 'tmsh show sys version' and verify if Client SSL profiles have vulnerable configuration using 'tmsh list ltm profile client-ssl'.

Check Version:

tmsh show sys version | grep Version

Verify Fix Applied:

Confirm version is patched (16.1.0+, 15.1.4.1+, or outside vulnerable range) and monitor memory usage during SSL traffic.

📡 Detection & Monitoring

Log Indicators:

High memory usage alerts in /var/log/ltm
SSL session establishment failures
System performance degradation logs

Network Indicators:

Abnormal increase in SSL/TLS handshake attempts
Sustained high-volume SSL traffic to vulnerable virtual servers

SIEM Query:

source="bigip_logs" ("memory high" OR "out of memory") AND "ssl" AND "session"

📊 Metadata

CVE ID: CVE-2022-23015

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: January 25, 2022

Last Updated: November 21, 2024

🔗 References

https://support.f5.com/csp/article/K08476614 Vendor Advisory
https://support.f5.com/csp/article/K08476614 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Session Tickets

Disable Client Certificate Authentication

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities