CVE-2022-27189
📋 TL;DR
This vulnerability in F5 BIG-IP allows attackers to cause memory exhaustion in the Traffic Management Microkernel (TMM) by sending specific traffic to virtual servers configured with ICAP profiles. This can lead to denial of service conditions. Affected organizations are those running vulnerable BIG-IP versions with ICAP profiles enabled.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete TMM memory exhaustion causing denial of service for all traffic through the BIG-IP device, potentially affecting entire network segments or applications.
Likely Case
Degraded performance and intermittent service disruptions due to increased memory pressure on TMM processes.
If Mitigated
Minimal impact if ICAP profiles are not in use or if traffic filtering prevents malicious packets from reaching vulnerable configurations.
🎯 Exploit Status
Exploitation requires sending specific traffic to vulnerable configurations but does not require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
Vendor Advisory: https://support.f5.com/csp/article/K16187341
Restart Required: Yes
Instructions:
1. Download appropriate fixed version from F5 Downloads. 2. Backup configuration. 3. Install update via F5 management interface. 4. Reboot device as required.
🔧 Temporary Workarounds
Disable ICAP Profiles
allRemove ICAP profiles from virtual server configurations to eliminate vulnerability.
tmsh modify ltm virtual <virtual_server_name> profiles delete { icap }
Restrict ICAP Traffic
allImplement network controls to limit ICAP traffic to trusted sources only.
🧯 If You Can't Patch
- Disable ICAP profiles on all virtual servers immediately
- Implement strict network segmentation and firewall rules to limit traffic to BIG-IP devices
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version with 'tmsh show sys version' and verify if any virtual servers have ICAP profiles configured using 'tmsh list ltm virtual'Check Version:
tmsh show sys versionVerify Fix Applied:
Confirm version is patched with 'tmsh show sys version' and verify no ICAP profiles remain on virtual servers📡 Detection & Monitoring
Log Indicators:
- Unusual TMM memory usage spikes
- ICAP connection errors
- Virtual server performance degradation alerts
Network Indicators:
- Abnormal ICAP traffic patterns
- Unexpected traffic to ICAP-configured virtual servers
SIEM Query:
source="bigip_logs" AND ("TMM memory high" OR "ICAP error" OR virtual_server="*icap*")