When an LTM virtual server is configured to perform normalization, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2022-34862)
Impact
This vulnerability affects systems with one or more of the following configurations.
Affected configurations
BIG-IP APM
This vulnerability affects a virtual server associated with a BIG-IP APM profile. All BIG-IP APM use cases are vulnerable.
BIG-IP ASM
This vulnerability affects only BIG-IP ASM Risk Engine use cases. BIG-IP ASM Risk Engine is currently available only to Early Access (EA) customers and requires a special license.
BIG-IP PEM
This vulnerability affects BIG-IP PEM systems that use:
Secure Web Gateway
This vulnerability affects all F5 Secure Web Gateway (SWG) use cases. URL categorization is fundamental to the operation of SWG. SWG requires a separate subscription.
SSL Orchestrator
This vulnerability affects all systems that use the SSL Orchestrator Categorization macro.
BIG-IP (all modules)
This vulnerability affects all BIG-IP system modules that use one or more of the following configurations:
Note: TheUse normalized URI option is disabled by default.
For more information about HTTP profiles and local traffic policy rules, refer to K40243113: Overview of the HTTP profile and K04597703: Overview of the Local Traffic Policies feature (12.1.0 and later) respectively.
For example, in the following configuration, the local traffic policy is vulnerable:
ltm policy /Common/K56715231 {
requires { http http-connect }
rules {
VULN_RULE01 {
conditions {
0 {
http-uri
proxy-connect
normalized
values { VULN_URI_STRING }
}
}
}
VULN_RULE02 {
conditions {
0 {
http-referer
proxy-connect
normalized
values { VULN_REF_STRING }
}
}
ordinal 1
}
}
strategy /Common/first-match
}
For example, the following iRule is vulnerable:
when HTTP_REQUEST {
if { ([HTTP::uri -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 URI example”
} elseif { ([HTTP::query -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 Query example”
} elseif { ([HTTP::path -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 Path example”
}
}
Identify whether your system has URL filtering with the Websense database license activated
You can identify whether your BIG-IP system has URL filtering with the Websense database license activated by checking the /var/log/tmm log file during restart. When you have this feature, you see a log entry similar to the following example:
tmm:<13> Apr 18 06:14:15 bigip.local notice URLCAT_LIB: urlcat_websense_license_callback/984: WEBSENSE DB is licensed
This log entry displays only when you set the tmm.lib.urlcat.log.level BIG-IP system database variable toDebug.
Note: If you think your system is compromised, refer to K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system.