Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-21789

CVE-2024-21789: F5 BIG-IP Advanced WAF DOS Vulnerability

CVE-2024-21789 is a denial of service vulnerability in F5 BIG-IP Advanced WAF that causes excessive memory consumption through undisclosed requests. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-21789 Overview

CVE-2024-21789 affects F5 BIG-IP Application Security Manager (ASM) and Advanced Web Application Firewall (WAF). When a security policy is configured on a virtual server, undisclosed requests cause an increase in memory resource utilization. Sustained exploitation can exhaust available memory and degrade or interrupt service on the affected appliance. The flaw is tracked under [CWE-772] (Missing Release of Resource after Effective Lifetime). F5 evaluated only software versions still within technical support; End of Technical Support (EoTS) releases were not assessed. The issue is remotely reachable over the network and requires no authentication or user interaction.

Critical Impact

Unauthenticated remote attackers can trigger memory exhaustion on BIG-IP ASM/Advanced WAF devices, leading to denial of service on protected applications.

Affected Products

  • F5 BIG-IP Advanced Web Application Firewall
  • F5 BIG-IP Application Security Manager (ASM)
  • Software versions outside End of Technical Support were not evaluated

Discovery Timeline

  • 2024-02-14 - CVE-2024-21789 published to NVD
  • 2024-12-12 - Last updated in NVD database

Technical Details for CVE-2024-21789

Vulnerability Analysis

The vulnerability resides in how the BIG-IP ASM/Advanced WAF security policy engine processes specific HTTP requests against a virtual server. Certain undisclosed request patterns cause the policy enforcement path to allocate memory that is not released after the request completes. Repeated submission of these requests accumulates unreleased memory inside the WAF process. As memory pressure rises, the data plane can become unstable, drop traffic, or restart processes responsible for policy enforcement.

F5 classifies this as an availability-only issue. Confidentiality and integrity of traffic remain unaffected, but availability of the protected application path can be lost. The bug aligns with [CWE-772], where an allocated resource is not freed across its effective lifetime.

Root Cause

The root cause is improper resource release inside the WAF request handling logic. Specific request structures trigger an allocation path that lacks a corresponding deallocation, leaving memory referenced beyond its required lifetime. F5 has not publicly disclosed the exact request shape or affected internal function in advisory K000137270 to limit exploitation risk.

Attack Vector

The attack vector is network-based and unauthenticated. An attacker reaches the BIG-IP virtual server using any client capable of issuing HTTP requests. Only virtual servers with an ASM or Advanced WAF security policy bound to them are exposed. No special privileges, user interaction, or prior foothold is required. Repeated requests are needed to drive memory utilization upward and produce a denial-of-service outcome. Detailed exploitation specifics have not been published by F5.

No public proof-of-concept is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.267% (50.42 percentile).

Detection Methods for CVE-2024-21789

Indicators of Compromise

  • Sustained upward trend in tmm and WAF process memory utilization on BIG-IP devices with ASM/Advanced WAF policies attached.
  • High-volume HTTP request bursts from a limited set of source addresses targeting virtual servers with WAF policies.
  • WAF or bd daemon restarts, swap pressure, or out-of-memory events in /var/log/ltm and /var/log/asm.
  • Increased policy enforcement latency or dropped connections on previously stable virtual servers.

Detection Strategies

  • Baseline normal memory consumption per WAF-enabled virtual server, then alert on deviations exceeding the baseline over rolling windows.
  • Correlate request rate per source IP against memory growth on the data plane to surface causal traffic.
  • Monitor F5 iHealth and SNMP counters for memory utilization, connection table size, and process restarts.
  • Forward BIG-IP syslog to a SIEM and search for memory allocation warnings, daemon restarts, and TMM core events.

Monitoring Recommendations

  • Enable continuous telemetry export from BIG-IP to a centralized log platform with retention sufficient for trend analysis.
  • Configure alerting thresholds for tmm.memory_used_pct and WAF process resident set size.
  • Track HTTP request anomalies upstream of the WAF using flow logs or load balancer access logs to identify abusive sources.

How to Mitigate CVE-2024-21789

Immediate Actions Required

  • Review F5 advisory K000137270 and identify all BIG-IP devices running ASM or Advanced WAF within a supported version range.
  • Upgrade affected BIG-IP systems to a fixed software release as listed by F5 in the advisory.
  • Retire or upgrade any systems running End of Technical Support versions, which F5 does not evaluate or patch.
  • Restrict network exposure of management and data plane interfaces to trusted sources where operationally feasible.

Patch Information

F5 has published fix information in security article K000137270. Administrators should consult the advisory for the exact fixed versions corresponding to their installed branch and apply the appropriate engineering hotfix or maintenance release. Software versions past End of Technical Support are not evaluated and require migration to a supported branch.

Workarounds

  • Apply rate limiting and connection limits on virtual servers with ASM/Advanced WAF policies to slow memory growth from abusive sources.
  • Use upstream filtering, such as a CDN or edge ACLs, to drop traffic from known abusive IP ranges before it reaches the WAF.
  • Monitor memory utilization aggressively and schedule controlled failover or process restarts if thresholds are exceeded.
  • Where supported, place suspicious sources into a blocked geolocation or reputation category enforced before WAF policy evaluation.
bash
# Example: identify BIG-IP virtual servers with an ASM policy attached
tmsh list ltm virtual one-line | grep -i asm

# Example: review current memory utilization on the data plane
tmsh show sys memory

# Example: tail WAF and LTM logs for restart or OOM indicators
tail -f /var/log/ltm /var/log/asm

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne