CVE-2022-23021
📋 TL;DR
This vulnerability in F5 BIG-IP allows attackers to cause denial of service by sending specially crafted requests to virtual servers with specific configurations. When exploited, it causes the Traffic Management Microkernel (TMM) to terminate, disrupting traffic management services. Organizations running affected BIG-IP versions with HTTP redirect rules, APM Access Profiles, or Explicit HTTP Proxy configurations are vulnerable.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of BIG-IP traffic management capabilities, causing widespread network outages and loss of availability for all services behind the affected BIG-IP devices.
Likely Case
Intermittent service disruptions and instability of BIG-IP devices, requiring manual intervention and restarts to restore functionality.
If Mitigated
Limited impact with proper network segmentation and monitoring, allowing quick detection and response to TMM termination events.
🎯 Exploit Status
Exploitation requires sending undisclosed requests to vulnerable configurations. No authentication is required if the vulnerable virtual server is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.1.2 or later
Vendor Advisory: https://support.f5.com/csp/article/K57111075
Restart Required: Yes
Instructions:
1. Download BIG-IP version 16.1.2 or later from F5 Downloads. 2. Backup current configuration. 3. Install the update following F5 upgrade procedures. 4. Restart the BIG-IP system to apply changes. 5. Verify the update was successful.
🔧 Temporary Workarounds
Remove vulnerable configurations
allTemporarily disable or remove HTTP redirect rules in LTM policies, APM Access Profiles, and Explicit HTTP Proxy configurations from vulnerable virtual servers.
tmsh modify ltm virtual <virtual_server_name> profiles remove { <http_profile_name> }
tmsh modify ltm policy <policy_name> rules remove { <rule_name> }
Restrict access to vulnerable virtual servers
allImplement network access controls to limit which sources can reach virtual servers with vulnerable configurations.
tmsh create net self <self_ip> allow-service { tcp:443 tcp:80 }
tmsh modify ltm virtual <virtual_server_name> source-address-translation { type automap }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable BIG-IP devices from untrusted networks
- Deploy additional monitoring and alerting for TMM process termination events
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version with 'tmsh show sys version' and verify if running 16.1.x before 16.1.2. Then check for vulnerable configurations: 'tmsh list ltm virtual one-line' and examine for HTTP redirect rules, APM profiles, or explicit proxy configurations.Check Version:
tmsh show sys version | grep VersionVerify Fix Applied:
After patching, verify version is 16.1.2 or later with 'tmsh show sys version'. Monitor TMM process stability and check logs for termination events.📡 Detection & Monitoring
Log Indicators:
- TMM process termination events in /var/log/ltm
- Increased restart frequency of TMM processes
- Error logs related to HTTP processing failures
Network Indicators:
- Unusual patterns of HTTP requests to virtual servers with vulnerable configurations
- Sudden loss of connectivity to services behind BIG-IP
SIEM Query:
source="/var/log/ltm" AND "TMM terminated" OR "TMM restarting"