CVE-2022-26890
📋 TL;DR
This vulnerability in F5 BIG-IP Advanced WAF, ASM, and APM allows remote attackers to cause denial of service by terminating the bd process. It affects systems with specific configurations where ASM/Advanced WAF with Session Awareness and APM are both enabled on a virtual server. Organizations running affected versions with these configurations are vulnerable.
💻 Affected Systems
- F5 BIG-IP Advanced WAF
- F5 BIG-IP ASM
- F5 BIG-IP APM
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for affected virtual servers, disrupting application availability and potentially requiring manual intervention to restart services.
Likely Case
Intermittent service disruptions affecting web applications protected by the vulnerable configuration, leading to downtime and performance degradation.
If Mitigated
Minimal impact with proper network segmentation and monitoring, though the vulnerability still exists until patched.
🎯 Exploit Status
The vulnerability can be triggered by undisclosed requests, suggesting relatively simple exploitation once details are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.1.2.1, 15.1.5, 14.1.4.6, 13.1.5 or later
Vendor Advisory: https://support.f5.com/csp/article/K03442392
Restart Required: Yes
Instructions:
1. Download appropriate patch version from F5 Downloads. 2. Backup configuration. 3. Apply patch via F5 management interface. 4. Restart affected services. 5. Verify fix.
🔧 Temporary Workarounds
Disable vulnerable configuration
allDisable either ASM/Advanced WAF Session Awareness or APM on affected virtual servers to break the vulnerable configuration chain.
tmsh modify ltm virtual <virtual_server_name> profiles delete { <asm_profile> }
tmsh modify ltm virtual <virtual_server_name> profiles delete { <apm_profile> }
🧯 If You Can't Patch
- Implement network segmentation to restrict access to affected virtual servers
- Enable monitoring for bd process crashes and implement automated restart procedures
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version with 'tmsh show sys version' and verify if ASM/Advanced WAF with Session Awareness and APM are configured on same virtual server with 'Use APM Username and Session ID' enabled.Check Version:
tmsh show sys versionVerify Fix Applied:
Verify version is patched with 'tmsh show sys version' and test with traffic that previously caused crashes.📡 Detection & Monitoring
Log Indicators:
- bd process termination logs in /var/log/ltm
- Increased restart events for bd process
- Error messages related to session handling
Network Indicators:
- Unusual traffic patterns to virtual servers with ASM+APM configuration
- Sudden service unavailability spikes
SIEM Query:
source="/var/log/ltm" AND "bd.*terminated" OR "bd.*crashed"