Vulnerabilities > CVE-2023-22302 - Missing Release of Resource after Effective Lifetime vulnerability in F5 products

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

high complexity

CWE-772

NVD

Published: 2023-02-01

Updated: 2023-11-07

Summary

In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker’s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vulnerable Configurations

Part	Description	Count
Application	F5 F5 BIG IP Advanced Firewall Manager 17.0.0 F5 BIG IP Advanced Firewall Manager 16.1.2.2 F5 BIG IP Advanced Firewall Manager 16.1.3 F5 BIG IP Advanced Firewall Manager 16.1.3.1 F5 BIG IP Advanced Firewall Manager 16.1.3.2 F5 BIG IP Access Policy Manager 17.0.0 F5 BIG IP Access Policy Manager 16.1.2.2 F5 BIG IP Access Policy Manager 16.1.3 F5 BIG IP Access Policy Manager 16.1.3.1 F5 BIG IP Policy Enforcement Manager 16.1.2.2 F5 BIG IP Policy Enforcement Manager 16.1.3 F5 BIG IP Policy Enforcement Manager 16.1.3.1 F5 BIG IP Policy Enforcement Manager 17.0.0 F5 BIG IP Local Traffic Manager 16.1.2.2 F5 BIG IP Local Traffic Manager 16.1.3 F5 BIG IP Local Traffic Manager 16.1.3.1 F5 BIG IP Local Traffic Manager 17.0.0 F5 BIG IP Link Controller 16.1.2.2 F5 BIG IP Link Controller 16.1.3 F5 BIG IP Link Controller 16.1.3.1 F5 BIG IP Link Controller 17.0.0 F5 BIG IP Fraud Protection Service 16.1.2.2 F5 BIG IP Fraud Protection Service 16.1.3 F5 BIG IP Fraud Protection Service 16.1.3.1 F5 BIG IP Fraud Protection Service 17.0.0 F5 BIG IP Domain Name System 16.1.2.2 F5 BIG IP Domain Name System 16.1.3 F5 BIG IP Domain Name System 16.1.3.1 F5 BIG IP Domain Name System 17.0.0 F5 BIG IP Ddos Hybrid Defender 16.1.2.2 F5 BIG IP Ddos Hybrid Defender 16.1.3 F5 BIG IP Ddos Hybrid Defender 16.1.3.1 F5 BIG IP Ddos Hybrid Defender 17.0.0 F5 BIG IP Application Security Manager 16.1.2.2 F5 BIG IP Application Security Manager 16.1.3 F5 BIG IP Application Security Manager 16.1.3.1 F5 BIG IP Application Security Manager 17.0.0 F5 BIG IP Analytics 16.1.2.2 F5 BIG IP Analytics 16.1.3 F5 BIG IP Analytics 16.1.3.1 F5 BIG IP Analytics 17.0.0 F5 BIG IP Application Acceleration Manager 16.1.2.2 F5 BIG IP Application Acceleration Manager 16.1.3 F5 BIG IP Application Acceleration Manager 16.1.3.1 F5 BIG IP Application Acceleration Manager 17.0.0 F5 BIG IP SSL Orchestrator 16.1.2.2 F5 BIG IP SSL Orchestrator 16.1.3 F5 BIG IP SSL Orchestrator 16.1.3.1 F5 BIG IP SSL Orchestrator 17.0.0	49

Common Weakness Enumeration (CWE)

CWE-772 - Missing Release of Resource after Effective Lifetime

Common Attack Pattern Enumeration and Classification (CAPEC)

HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.

References

https://my.f5.com/manage/s/article/K58550078