CVE-2021-22991

CRITICAL KEV

BIG-IP <16.0.1.1, <15.1.2.1, <14.1.4, <13.1.3.6, <12.1.5.3 - DoS/RCE

Title source: llm

Description

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

References (2)

[Vendor Advisory] https://support.f5.com/csp/article/K56715231

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22991

Scores

CVSS v3 9.8

EPSS 0.7309

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-01-18

VulnCheck KEV 2021-06-01

InTheWild.io 2021-07-01

ENISA EUVD EUVD-2021-10109

CWE

CWE-119

Status published

Products (14)

f5/big-ip_access_policy_manager 12.1.0 - 12.1.5.3

f5/big-ip_advanced_firewall_manager 12.1.0 - 12.1.5.3

f5/big-ip_advanced_web_application_firewall 12.1.0 - 12.1.5.3

f5/big-ip_analytics 12.1.0 - 12.1.5.3

f5/big-ip_application_acceleration_manager 12.1.0 - 12.1.5.3

f5/big-ip_application_security_manager 12.1.0 - 12.1.5.3

f5/big-ip_ddos_hybrid_defender 12.1.0 - 12.1.5.3

f5/big-ip_domain_name_system 12.1.0 - 12.1.5.3

f5/big-ip_fraud_protection_service 12.1.0 - 12.1.5.3

f5/big-ip_global_traffic_manager 12.1.0 - 12.1.5.3

... and 4 more

Published Mar 31, 2021

KEV Added Jan 18, 2022

Tracked Since Feb 18, 2026