VDB
CVE-2021-22992
CVE-2021-22992
PUBLISHED
CVSS 9.800000190734863 CRITICAL
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
EPSS 7.78% · 92.1th percentile
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
7.78%
92.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| f5 | big-ip_local_traffic_manager | 12.1.0, 13.1.0, 11.6.1 |
| f5 | big-ip_policy_enforcement_manager | 11.6.1, 12.1.0, 14.1.0 |
| f5 | big-ip_global_traffic_manager | 14.1.0, 16.0.0, 15.1.0 |
| f5 | big-ip_application_security_manager | 13.1.0, 12.1.0, 14.1.0 |
| f5 | big-ip_advanced_web_application_firewall | 13.1.0, 16.0.0, 15.1.0 |
| f5 | big-ip_link_controller | 16.0.0, 15.1.0, 14.1.0 |
| f5 | big-ip_advanced_firewall_manager | 12.1.0, 11.6.1, 16.0.0 |
| f5 | big-ip_ddos_hybrid_defender | 16.0.0, 11.6.1, 12.1.0 |
| f5 | ssl_orchestrator | 11.6.1, 16.0.0, 15.1.0 |
| f5 | big-ip_fraud_protection_service | 11.6.1, 15.1.0, 16.0.0 |
| f5 | big-ip_analytics | 15.1.0, 11.6.1, 12.1.0 |
| n/a | BIG-IP Advanced WAF and BIG-IP ASM | 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, 11.6.x before 11.6.5.3 |
| f5 | big-ip_application_acceleration_manager | 14.1.0, 15.1.0, 12.1.0 |
| f5 | big-ip_access_policy_manager | 13.1.0, 11.6.1, 15.1.0 |
| f5 | big-ip_domain_name_system | 16.0.0, 15.1.0, 14.1.0 |
Timeline
- Mar 11, 2021 CVE Published
- Mar 11, 2021 PoC Published
- Mar 12, 2021 PoC Published
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Sep 23, 2021 PoC Published
- Oct 25, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://support.f5.com/csp/article/K03009991 advisory
- https://support.f5.com/csp/article/K68251873 advisory
- https://support.f5.com/csp/article/K67830124 advisory
- https://support.f5.com/csp/article/K66851119 advisory
- https://support.f5.com/csp/article/K56715231 advisory
- https://support.f5.com/csp/article/K51674118 advisory
- https://support.f5.com/csp/article/K18132488 advisory
- https://support.f5.com/csp/article/K45056101 advisory
- https://support.f5.com/csp/article/K52510511 advisory
- https://support.f5.com/csp/article/K70031188 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2021-22992 advisory