Main Vulnerability Database SB2021031604

SB2021031604 - Denial of service in BIG-IP MPTCP

Published: March 16, 2021

Security Bulletin ID SB2021031604

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Resource management error (CVE-ID: CVE-2021-23003)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when processing MPTCP traffic. A remote attacker can send specially crafted data to the system and force TMM to produce a core file, resulting in denial of service.

The vulnerability can be also triggered in rare circumstances by running the tmsh show conn command.

Remediation

Install update from vendor's website.

References

https://support.f5.com/csp/article/K43470422

Vulnerable Software

BIG-IP: 11.6.1 - 16.0.1
BIG-IP LTM: 11.6.1 - 16.0.1
BIG-IP AAM: 11.6.1 - 16.0.1
BIG-IP Advanced WAF: 11.6.1 - 16.0.1
BIG-IP AFM: 11.6.1 - 16.0.1
BIG-IP Analytics: 11.6.1 - 16.0.1
BIG-IP APM: 11.6.1 - 16.0.1
BIG-IP ASM: 11.6.1 - 16.0.1
BIG-IP DDHD: 11.6.1 - 16.0.1
BIG-IP DNS: 11.6.1 - 16.0.1
BIG-IP FPS: 11.6.1 - 16.0.1
BIG-IP GTM: 11.6.1 - 16.0.1
BIG-IP Link Controller: 11.6.1 - 16.0.1
BIG-IP PEM: 11.6.1 - 16.0.1
BIG-IP SSLO: 11.6.1 - 16.0.1