CVE-2022-23019
📋 TL;DR
This vulnerability in F5 BIG-IP systems allows an attacker to cause a memory exhaustion denial-of-service (DoS) condition by sending specific traffic to a message routing virtual server configured with both Diameter Session and Router Profiles. It affects BIG-IP versions 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x and 12.1.x, potentially leading to service disruption for organizations using these configurations.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash or unavailability due to memory exhaustion, causing extended downtime for critical network services.
Likely Case
Degraded performance or intermittent service interruptions as memory usage spikes, impacting application availability.
If Mitigated
Minimal impact if systems are patched or not using the vulnerable configuration, with potential for monitoring to detect anomalies.
🎯 Exploit Status
Exploitation involves sending specific traffic, but details are undisclosed; no public proof-of-concept has been reported, reducing immediate widespread risk.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Upgrade to BIG-IP 16.1.2, 15.1.4.1, or 14.1.4.4; versions 13.1.x and 12.1.x are unsupported and should be upgraded to a supported version.
Vendor Advisory: https://support.f5.com/csp/article/K82793463
Restart Required: Yes
Instructions:
1. Review the F5 advisory at the provided URL. 2. Backup configurations. 3. Download and apply the patch from F5 support. 4. Restart the BIG-IP system as required. 5. Verify the fix using version checks.
🔧 Temporary Workarounds
Disable vulnerable configuration
allRemove or modify the message routing virtual server configuration to not use both Diameter Session and Router Profiles.
tmsh modify ltm virtual <virtual_server_name> profiles delete { diameter-session router }
🧯 If You Can't Patch
- Monitor memory usage and logs for spikes indicative of exploitation, and implement network segmentation to limit traffic to affected systems.
- Apply strict access controls and rate limiting to reduce exposure to potential malicious traffic.
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version and configuration: run 'tmsh list ltm virtual' to see if any virtual servers use both diameter-session and router profiles, and compare version to affected ranges.Check Version:
tmsh show sys versionVerify Fix Applied:
After patching, confirm the version is updated to a non-vulnerable release and verify the configuration no longer includes the vulnerable profile combination.📡 Detection & Monitoring
Log Indicators:
- Unusual memory usage spikes in system logs, alerts from BIG-IP monitoring tools, or error messages related to memory exhaustion.
Network Indicators:
- Abnormal traffic patterns to message routing virtual servers, especially Diameter protocol traffic that could trigger the condition.
SIEM Query:
Example: 'source="big-ip" AND (memory_usage > 90% OR log_message CONTAINS "diameter session")'