CVE-2021-22991 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-22991 PUBLISHED KEV CVSS 6.800000190734863 MEDIUM

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

EPSS 73.09% · 98.8th percentile

Risk Scores

CVSS v2.0

6.800000190734863

EPSS Score

73.09%

98.8th percentile

Affected Products

Vendor	Product	Versions
f5	big-ip_ddos_hybrid_defender	12.1.0, 16.0.0, 15.1.0
f5	big-ip_advanced_web_application_firewall	13.1.0, 12.1.0, 15.1.0
f5	big-ip_fraud_protection_service	13.1.0, 12.1.0, 16.0.0
f5	big-ip_access_policy_manager	12.1.0, 16.0.0, 15.1.0
f5	big-ip_global_traffic_manager	15.1.0, 12.1.0, 13.1.0
f5	big-ip_local_traffic_manager	15.1.0, 16.0.0, 12.1.0
f5	big-ip_application_security_manager	16.0.0, 12.1.0, 13.1.0
f5	big-ip_application_acceleration_manager	15.1.0, 12.1.0, 13.1.0
f5	big-ip_link_controller	16.0.0, 15.1.0, 14.1.0
f5	big-ip_analytics	15.1.0, 16.0.0, 12.1.0
f5	big-ip_advanced_firewall_manager	14.1.0, 12.1.0, 13.1.0
f5	big-ip_domain_name_system	16.0.0, 15.1.0, 14.1.0
f5	big-ip_policy_enforcement_manager	14.1.0, 12.1.0, 13.1.0
n/a	BIG-IP	16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3
f5	ssl_orchestrator	16.0.0, 12.1.0, 13.1.0

Timeline

Mar 11, 2021 CVE Published
Mar 11, 2021 PoC Published
Mar 12, 2021 PoC Published
Mar 12, 2021 PoC Published
Mar 18, 2021 PoC Published
Apr 14, 2021 EPSS Score
Sep 23, 2021 PoC Published
Jan 6, 2022 EPSS Score
Jan 18, 2022 CISA KEV Added
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Mar 7, 2023 EPSS Score

References

https://support.f5.com/csp/article/K03009991 advisory
https://support.f5.com/csp/article/K68251873 advisory
https://support.f5.com/csp/article/K67830124 advisory
https://support.f5.com/csp/article/K66851119 advisory
https://support.f5.com/csp/article/K56715231 advisory
https://support.f5.com/csp/article/K51674118 advisory
https://support.f5.com/csp/article/K18132488 advisory
https://support.f5.com/csp/article/K45056101 advisory
https://support.f5.com/csp/article/K52510511 advisory
https://support.f5.com/csp/article/K70031188 advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22991 url
https://nvd.nist.gov/vuln/detail/CVE-2021-22991 advisory

Open in Interactive Console →