CVE-2021-22991: F5 BIG-IP Access Policy Manager DoS Flaw

CVE-2021-22991 Overview

CVE-2021-22991 is a buffer overflow vulnerability affecting the Traffic Management Microkernel (TMM) in F5 BIG-IP devices. The vulnerability exists in the URI normalization component, where undisclosed requests sent to a virtual server may be incorrectly handled. This improper handling can trigger a buffer overflow condition, which may result in a denial of service (DoS) attack. In certain situations, this vulnerability may theoretically allow attackers to bypass URL-based access control mechanisms or achieve remote code execution (RCE).

This vulnerability is particularly concerning due to the critical role BIG-IP devices play in enterprise network infrastructure, often serving as load balancers, application delivery controllers, and security gateways positioned at the network perimeter.

Critical Impact

This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Successful exploitation can lead to complete system compromise, denial of service, or bypass of security controls on affected F5 BIG-IP infrastructure.

Affected Products

• F5 BIG-IP Access Policy Manager (versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3)
• F5 BIG-IP Advanced Firewall Manager (versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3)
• F5 BIG-IP Advanced Web Application Firewall (versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3)
• F5 BIG-IP Analytics, Application Acceleration Manager, Application Security Manager
• F5 BIG-IP DDoS Hybrid Defender, Domain Name System, Fraud Protection Service
• F5 BIG-IP Global Traffic Manager, Link Controller, Local Traffic Manager
• F5 BIG-IP Policy Enforcement Manager, SSL Orchestrator

Discovery Timeline

• 2021-03-31 - CVE-2021-22991 published to NVD
• 2025-10-27 - Last updated in NVD database

Technical Details for CVE-2021-22991

Vulnerability Analysis

The vulnerability resides within the Traffic Management Microkernel (TMM), a core component of F5 BIG-IP systems responsible for processing all traffic passing through virtual servers. The TMM performs various operations on incoming requests, including URI normalization—a process that standardizes URL formats for consistent processing and security policy enforcement.

When certain malformed or crafted requests are sent to a virtual server, the URI normalization routine fails to properly validate input boundaries. This failure leads to a classic buffer overflow condition (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer), where data written to memory exceeds the allocated buffer size.

The exploitation path is particularly dangerous because it requires no authentication and can be triggered remotely over the network. The TMM component operates with high privileges within the BIG-IP system, meaning successful exploitation could grant attackers significant control over the device.

Root Cause

The root cause of CVE-2021-22991 is improper bounds checking in the TMM URI normalization functionality. When processing requests with specific URI patterns, the normalization code fails to adequately verify that input data fits within the destination buffer. This is a classic memory safety issue where the code assumes certain maximum lengths for URI components without proper validation.

The vulnerability falls under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), indicating that the code does not properly limit the amount of data written to memory, allowing adjacent memory regions to be overwritten with attacker-controlled data.

Attack Vector

An attacker can exploit this vulnerability remotely over the network by sending specially crafted HTTP requests to a BIG-IP virtual server. The attack does not require authentication or user interaction, making it particularly severe for internet-facing BIG-IP deployments.

The exploitation involves sending requests containing URIs that trigger the vulnerable normalization code path. When the TMM processes these requests, the buffer overflow occurs in the kernel space, potentially allowing:

1. Denial of Service: Crashing the TMM process, causing traffic disruption
2. Access Control Bypass: Manipulating normalized URIs to circumvent URL-based security policies
3. Remote Code Execution: In certain memory layout conditions, achieving arbitrary code execution with TMM privileges

The attack surface includes any virtual server configured on the BIG-IP system that processes HTTP/HTTPS traffic. Given that BIG-IP devices typically sit at network boundaries handling significant traffic volumes, successful exploitation could have widespread impact on organizational infrastructure.

Detection Methods for CVE-2021-22991

Indicators of Compromise

• Unusual TMM process crashes or restarts visible in /var/log/ltm logs
• High volume of malformed HTTP requests targeting virtual servers with abnormally long or encoded URI patterns
• Unexpected changes to access control behavior or policy bypass events in ASM/APM logs
• Memory corruption indicators in core dumps located in /var/core/

Detection Strategies

• Monitor TMM daemon stability and alert on unexpected restarts using tmsh show sys service tmm
• Implement network intrusion detection rules to identify requests with excessively long or malformed URIs targeting BIG-IP virtual server ports
• Review BIG-IP system logs for buffer overflow indicators and memory violation errors
• Deploy web application firewall rules to block requests containing suspicious URI encoding patterns

Monitoring Recommendations

• Enable detailed request logging on virtual servers to capture URI patterns for forensic analysis
• Configure SNMP traps or syslog alerts for TMM health status changes
• Implement regular integrity checks on BIG-IP configuration to detect unauthorized access control modifications
• Monitor network traffic patterns for anomalous request volumes or characteristics targeting BIG-IP management interfaces

How to Mitigate CVE-2021-22991

Immediate Actions Required

• Immediately upgrade affected BIG-IP systems to patched versions: 16.0.1.1+, 15.1.2.1+, 14.1.4+, 13.1.3.6+, or 12.1.5.3+ respectively
• Review F5 Security Advisory K56715231 for specific hotfix information and upgrade guidance
• Audit network exposure of BIG-IP devices and restrict access to trusted networks where possible
• Enable enhanced logging on virtual servers to detect potential exploitation attempts during the patching window

Patch Information

F5 has released security patches addressing this vulnerability. Affected organizations should upgrade to the following fixed versions:

For detailed upgrade instructions and hotfix downloads, refer to the F5 Support Article K56715231. Note that software versions which have reached End of Software Development (EoSD) are not evaluated and organizations running such versions should upgrade to supported releases.

Workarounds

• If immediate patching is not possible, consider placing affected BIG-IP systems behind additional network security controls to filter potentially malicious requests
• Implement iRules to perform additional URI validation and reject requests with suspicious patterns before they reach the TMM normalization code
• Temporarily disable or restrict access to non-essential virtual servers until patches can be applied
• Consider implementing network segmentation to limit the blast radius of potential exploitation

# Check current BIG-IP version
tmsh show sys version

# Verify TMM process health status
tmsh show sys service tmm

# Review recent TMM-related log entries for anomalies
grep -i "tmm\|buffer\|overflow" /var/log/ltm

# List configured virtual servers requiring assessment
tmsh list ltm virtual all-properties