Sign-up

ID

VAR-202109-0787


CVE

CVE-2021-23049


TITLE

plural  F5 Networks  Product resource exhaustion vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-011976

DESCRIPTION

On BIG-IP version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3, when the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. plural F5 Networks The product contains a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. F5 BIG-IP has a security vulnerability. The vulnerability stems from the ability to modify and increase the request or response body size when using decompressors, json transcoders, grpc web, or other proprietary extensions. An attacker could exploit this vulnerability to read invalid memory and cause a crash, resulting in a denial of service

Trust: 1.8

sources: NVD: CVE-2021-23049 // JVNDB: JVNDB-2021-011976 // VULHUB: VHN-381535 // VULMON: CVE-2021-23049

AFFECTED PRODUCTS

vendor:f5model:big-ip link controllerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip link controllerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application security managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip global traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced firewall managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip analyticsscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced web application firewallscope: - version: -

Trust: 0.8

vendor:f5model:big-ip local traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application acceleration managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope: - version: -

Trust: 0.8

vendor:f5model:big-ip domain name systemscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-011976 // NVD: CVE-2021-23049

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-23049
value: HIGH

Trust: 1.0

NVD: CVE-2021-23049
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202108-2294
value: HIGH

Trust: 0.6

VULHUB: VHN-381535
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-23049
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-23049
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-381535
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-23049
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-23049
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-381535 // VULMON: CVE-2021-23049 // JVNDB: JVNDB-2021-011976 // CNNVD: CNNVD-202108-2294 // NVD: CVE-2021-23049

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.1

problemtype:Resource exhaustion (CWE-400) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-381535 // JVNDB: JVNDB-2021-011976 // NVD: CVE-2021-23049

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-2294

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202108-2294

PATCH

title:K65397301url:https://support.f5.com/csp/article/K65397301

Trust: 0.8

title:F5 BIG-IP Remediation of resource management error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=163748

Trust: 0.6

sources: JVNDB: JVNDB-2021-011976 // CNNVD: CNNVD-202108-2294

EXTERNAL IDS

db:NVDid:CVE-2021-23049

Trust: 3.4

db:JVNDBid:JVNDB-2021-011976

Trust: 0.8

db:CNNVDid:CNNVD-202108-2294

Trust: 0.7

db:AUSCERTid:ESB-2021.2867

Trust: 0.6

db:VULHUBid:VHN-381535

Trust: 0.1

db:VULMONid:CVE-2021-23049

Trust: 0.1

sources: VULHUB: VHN-381535 // VULMON: CVE-2021-23049 // JVNDB: JVNDB-2021-011976 // CNNVD: CNNVD-202108-2294 // NVD: CVE-2021-23049

REFERENCES

url:https://support.f5.com/csp/article/k65397301

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-23049

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2021.2867

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-memory-leak-via-irules-resolver-summarize-36205

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/400.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-381535 // VULMON: CVE-2021-23049 // JVNDB: JVNDB-2021-011976 // CNNVD: CNNVD-202108-2294 // NVD: CVE-2021-23049

SOURCES

db:VULHUBid:VHN-381535
db:VULMONid:CVE-2021-23049
db:JVNDBid:JVNDB-2021-011976
db:CNNVDid:CNNVD-202108-2294
db:NVDid:CVE-2021-23049

LAST UPDATE DATE

2024-08-14T13:43:23.980000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-381535date:2021-09-24T00:00:00
db:VULMONid:CVE-2021-23049date:2021-09-24T00:00:00
db:JVNDBid:JVNDB-2021-011976date:2022-08-19T04:41:00
db:CNNVDid:CNNVD-202108-2294date:2021-09-26T00:00:00
db:NVDid:CVE-2021-23049date:2021-09-24T15:02:51.520

SOURCES RELEASE DATE

db:VULHUBid:VHN-381535date:2021-09-14T00:00:00
db:VULMONid:CVE-2021-23049date:2021-09-14T00:00:00
db:JVNDBid:JVNDB-2021-011976date:2022-08-19T00:00:00
db:CNNVDid:CNNVD-202108-2294date:2021-08-24T00:00:00
db:NVDid:CVE-2021-23049date:2021-09-14T13:15:11.033