CVE-2022-35245 in BIG-IP
Summary
by MITRE • 08/04/2022
In BIG-IP Versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, and 14.1.x before 14.1.5.1, when a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/30/2022
The vulnerability identified as CVE-2022-35245 represents a critical stability issue within F5 BIG-IP application delivery controllers that affects multiple major versions including 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, and 14.1.x before 14.1.5.1. This flaw specifically impacts the Traffic Management Microkernel (TMM) component which serves as the core processing engine for traffic handling within the BIG-IP platform. The vulnerability manifests when specific APM access policies are configured on virtual servers, creating a condition where certain types of traffic can trigger unexpected termination of the TMM process. This represents a denial of service vulnerability that can severely impact network availability and application accessibility for organizations relying on F5 BIG-IP appliances for their infrastructure.
The technical nature of this vulnerability stems from improper handling of traffic patterns within the TMM subsystem when processing specific access policy configurations. According to CWE classification, this vulnerability falls under CWE-682 Incorrect Calculation, as it involves miscalculations or improper processing of traffic data that leads to system instability. The flaw occurs during the processing of access policy decisions where the TMM fails to properly validate or handle certain traffic flows that contain undisclosed characteristics. This allows malicious actors or even benign traffic patterns that the system was not designed to handle to cause the TMM to crash and terminate unexpectedly, leading to complete service disruption for the affected virtual servers.
The operational impact of CVE-2022-35245 extends beyond simple service disruption to encompass significant business continuity risks for organizations utilizing F5 BIG-IP appliances. When the TMM terminates, all traffic flowing through the affected virtual servers ceases immediately, resulting in complete loss of application availability until the system is manually restarted or the appliance is rebooted. This vulnerability can be exploited by attackers who craft specific traffic patterns to trigger the termination, or it could be accidentally triggered by legitimate traffic that contains unusual characteristics. The attack surface is particularly concerning because it affects the core traffic processing functionality of the appliance, making it difficult to predict or prevent without proper patching or mitigation strategies. From an ATT&CK framework perspective, this vulnerability maps to T1499.004 - Endpoint Termination, where the adversary targets system stability and availability through manipulation of core infrastructure components.
Organizations affected by this vulnerability should prioritize immediate remediation through official F5 patches released for the affected versions. The recommended mitigation strategy involves upgrading to the patched versions mentioned in the CVE description, specifically 16.1.3.1, 15.1.6.1, and 14.1.5.1. Additionally, network administrators should implement traffic monitoring and anomaly detection systems to identify potentially malicious traffic patterns that could trigger the vulnerability before they cause service disruption. Configuration reviews should be conducted to minimize the exposure of virtual servers with problematic APM access policies, and network segmentation strategies can help limit the impact should the vulnerability be exploited. Organizations should also consider implementing redundant BIG-IP appliances or failover mechanisms to maintain service availability during patching operations and to provide resilience against such stability issues. The vulnerability highlights the importance of maintaining current support status for critical infrastructure components and demonstrates how seemingly minor configuration elements can lead to catastrophic system failures.