CVE-2021-22991 vulnerability in F5 Networks Products
Published on March 31, 2021

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

Vendor Advisory NVD

Known Exploited Vulnerability

This F5 BIG-IP Traffic Management Microkernel Buffer Overflow vulnerability is part of CISA's list of Known Exploited Vulnerabilities. The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls.

The following remediation steps are recommended / required by February 1, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2021-22991 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is a Buffer Overflow Vulnerability?

The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

CVE-2021-22991 has been classified to as a Buffer Overflow vulnerability or weakness.

Products Associated with CVE-2021-22991

You can be notified by stack.watch whenever vulnerabilities like CVE-2021-22991 are published in these products:

F5 Networks Big Ip Access Policy Manager

F5 Networks Big Ip Advanced Firewall Manager

F5 Networks Big Ip Advanced Web Application Firewall

F5 Networks Big Ip Analytics

F5 Networks Big Ip Application Acceleration Manager

F5 Networks Big Ip Application Security Manager

F5 Networks Big Ip Ddos Hybrid Defender

F5 Networks Big Ip Domain Name System

F5 Networks Big Ip Fraud Protection Service

F5 Networks Big Ip Global Traffic Manager

F5 Networks Big Ip Link Controller

F5 Networks Big Ip Local Traffic Manager

F5 Networks Big Ip Policy Enforcement Manager

F5 Networks Ssl Orchestrator

What versions are vulnerable to CVE-2021-22991?

F5 Networks Big Ip Access Policy Manager Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Advanced Firewall Manager Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Application Acceleration Manager Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Analytics Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Application Security Manager Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Domain Name System Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Global Traffic Manager Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Fraud Protection Service Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Link Controller Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Local Traffic Manager Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Policy Enforcement Manager Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Advanced Web Application Firewall Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Ddos Hybrid Defender Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Big Ip Access Policy Manager Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Analytics Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Application Acceleration Manager Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Application Security Manager Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Domain Name System Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Global Traffic Manager Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Local Traffic Manager Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Advanced Web Application Firewall Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Ddos Hybrid Defender Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Link Controller Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Policy Enforcement Manager Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Access Policy Manager Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Advanced Firewall Manager Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Advanced Web Application Firewall Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Analytics Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Application Acceleration Manager Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Application Security Manager Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Ddos Hybrid Defender Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Domain Name System Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Fraud Protection Service Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Global Traffic Manager Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Link Controller Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Local Traffic Manager Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Policy Enforcement Manager Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Big Ip Application Security Manager Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Application Acceleration Manager Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Application Acceleration Manager Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Local Traffic Manager Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Local Traffic Manager Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Advanced Web Application Firewall Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Advanced Web Application Firewall Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Advanced Firewall Manager Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Advanced Firewall Manager Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Advanced Firewall Manager Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Analytics Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Analytics Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Application Security Manager Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Access Policy Manager Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Access Policy Manager Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Ddos Hybrid Defender Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Ddos Hybrid Defender Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Domain Name System Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Domain Name System Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Fraud Protection Service Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Fraud Protection Service Version 13.1.0 Fixed in Version 13.1.3.6
F5 Networks Big Ip Fraud Protection Service Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Global Traffic Manager Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Global Traffic Manager Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Link Controller Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Link Controller Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Big Ip Policy Enforcement Manager Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Big Ip Policy Enforcement Manager Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Ssl Orchestrator Version 12.1.0 Fixed in Version 12.1.5.3
F5 Networks Ssl Orchestrator Version 15.1.0 Fixed in Version 15.1.2.1
F5 Networks Ssl Orchestrator Version 14.1.0 Fixed in Version 14.1.4
F5 Networks Ssl Orchestrator Version 16.0.0 Fixed in Version 16.0.1.1
F5 Networks Ssl Orchestrator Version 13.1.0 Fixed in Version 13.1.3.6