CVE-2021-22991

critical-risk

Published 2021-03-31

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

Do I need to act?

73.1% chance of exploitation in next 30 days

EPSS score — higher than 27% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (14)

Big-Ip Access Policy Manager

Big-Ip Advanced Firewall Manager

Big-Ip Advanced Web Application Firewall

Big-Ip Analytics

Big-Ip Application Acceleration Manager

Big-Ip Application Security Manager

Big-Ip Ddos Hybrid Defender

Big-Ip Domain Name System

Big-Ip Fraud Protection Service

Big-Ip Global Traffic Manager

Big-Ip Link Controller

Big-Ip Local Traffic Manager

Big-Ip Policy Enforcement Manager

Ssl Orchestrator

Affected Vendors

References (3)

Vendor Advisory https://support.f5.com/csp/article/K56715231

US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...

/ 100

critical-risk

Severity 32/34 · Critical

Exploitability 26/34 · High

Exposure 18/34 · Moderate