CVE-2021-22991
Published: 31 March 2021
Summary
CVE-2021-22991 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2021-22991 is a buffer overflow vulnerability in F5 BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3. The flaw resides in the Traffic Management Microkernel (TMM) handling of URI normalization for requests sent to virtual servers and is tracked under CWE-119. It carries a CVSS v3.1 score of 9.8.
An unauthenticated remote attacker can send specially crafted requests to an affected virtual server. Successful exploitation produces a denial of service; under certain conditions the same flaw may permit bypass of URL-based access controls or remote code execution.
F5 addresses the issue in knowledge article K56715231, which supplies the fixed software versions and recommended remediation steps. The vulnerability appears in CISA’s catalog of known exploited vulnerabilities.
The high severity and confirmed in-the-wild exploitation underscore the need for prompt patching of exposed BIG-IP deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-10109
Vulnerability details
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger…
more
a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
- CWE(s)
- KEV Date Added
- 18 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that eliminate the TMM URI-normalization buffer overflow.
Mandates validation of externally supplied data (URIs) before processing, blocking the malformed requests that trigger the overflow.
Enforces boundary filtering and inspection of traffic destined to virtual servers, limiting exposure to unauthenticated crafted requests.