CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2021-22991

CVSS 9.8v3.1pub. 2021-03-31upd. 2025-10-27

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • F5 Big Ip Access Policy Manager

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Advanced Firewall Manager

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Advanced Web Application Firewall

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Analytics

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Application Acceleration Manager

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Application Security Manager

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Ddos Hybrid Defender

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Domain Name System

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Fraud Protection Service

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Global Traffic Manager

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Link Controller

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Local Traffic Manager

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Big Ip Policy Enforcement Manager

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)
  • F5 Ssl Orchestrator

    APP
    F5
    12.1.0 – 12.1.5.3 (bez)13.1.0 – 13.1.3.6 (bez)14.1.0 – 14.1.4 (bez)15.1.0 – 15.1.2.1 (bez)16.0.0 – 16.0.1.1 (bez)

CISA KEV — detailsi

Vendori
F5
Producti
BIG-IP Traffic Management Microkernel
Added to KEVi
January 18, 2022
Remediation deadline (US Federal)i
February 1, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 1 lutego 2022
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2025-53521CRITICAL9.3⚠ KEVPL ✓ten sam produkt

RCE w F5 BIG-IP APM poprzez złośliwy ruch sieciowy (stack buffer overflow)

CVE-2023-46747CRITICAL9.8⚠ KEVten sam produkt

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access...

CVE-2022-1388CRITICAL9.8⚠ KEVten sam produkt

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14...

CVE-2021-22986CRITICAL9.8⚠ KEVten sam produkt

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3....

CVE-2020-5902CRITICAL9.8⚠ KEVten sam produkt

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, th...