CVE-2023-22422
📋 TL;DR
This vulnerability allows remote attackers to cause a denial-of-service (DoS) condition on affected BIG-IP systems by sending specially crafted HTTP requests to virtual servers with specific HTTP profile configurations. The Traffic Management Microkernel (TMM) terminates when processing these requests, disrupting traffic management services. Affected systems are BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3 with specific HTTP profile settings.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption for all traffic managed by the affected virtual server, requiring manual intervention to restart TMM processes.
Likely Case
Intermittent service outages affecting specific virtual servers with the vulnerable configuration, causing temporary traffic disruption.
If Mitigated
No impact if vulnerable HTTP profile settings are not enabled or systems are patched.
🎯 Exploit Status
Exploitation requires sending HTTP requests to vulnerable virtual servers; no authentication needed if virtual server is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.0.0.2 or 16.1.3.3
Vendor Advisory: https://my.f5.com/manage/s/article/K43881487
Restart Required: Yes
Instructions:
1. Download appropriate patch from F5 Downloads. 2. Backup configuration. 3. Apply patch using F5 upgrade procedures. 4. Restart TMM services. 5. Verify version and functionality.
🔧 Temporary Workarounds
Disable Vulnerable HTTP Profile Settings
allRemove or modify HTTP profiles to disable 'Enforce HTTP Compliance' with 'Unknown Methods: Reject' setting on vulnerable virtual servers.
tmsh modify ltm profile http <profile_name> enforcement disabled
tmsh modify ltm profile http <profile_name> unknown-method allow
🧯 If You Can't Patch
- Apply workaround to disable vulnerable HTTP profile settings on all virtual servers
- Implement network controls to restrict access to vulnerable virtual servers from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version with 'tmsh show sys version' and verify if any virtual servers use HTTP profiles with 'enforcement enabled' and 'unknown-method reject' settings.Check Version:
tmsh show sys versionVerify Fix Applied:
Confirm version is 17.0.0.2 or higher for 17.0.x, or 16.1.3.3 or higher for 16.1.x using 'tmsh show sys version'.📡 Detection & Monitoring
Log Indicators:
- TMM process termination logs
- High rate of HTTP requests with unusual methods
- Virtual server availability alerts
Network Indicators:
- Sudden drop in traffic to specific virtual servers
- HTTP requests with malformed or unusual methods
SIEM Query:
source="bigip_logs" AND ("TMM terminated" OR "http profile enforcement" AND "reject")