CVE-2024-23805 Overview
CVE-2024-23805 is a denial-of-service vulnerability affecting F5 BIG-IP Advanced Web Application Firewall (WAF) and BIG-IP Application Security Manager (ASM). Undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate, disrupting traffic processing on affected virtual servers. The flaw is categorized under [CWE-131] (Incorrect Calculation of Buffer Size) and requires no authentication or user interaction to trigger. Exploitation depends on specific non-default configurations involving the Application Visibility and Reporting (AVR) module and HTTP Analytics, DoS, or Bot Defense profiles.
Critical Impact
Remote unauthenticated attackers can terminate the TMM process, causing traffic disruption and loss of availability on affected BIG-IP virtual servers.
Affected Products
- F5 BIG-IP Advanced Web Application Firewall (versions through 17.1.0)
- F5 BIG-IP Application Security Manager (versions through 17.1.0)
- BIG-IP deployments using AVR, DoS, or Bot Defense profiles with specific DB variables enabled
Discovery Timeline
- 2024-02-14 - CVE-2024-23805 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-23805
Vulnerability Analysis
The vulnerability resides in the Traffic Management Microkernel (TMM), the core data-plane component of F5 BIG-IP. When specific request patterns are processed under vulnerable configurations, TMM terminates abnormally. TMM restart interrupts all traffic flowing through the affected virtual servers, producing a denial-of-service condition. The issue is classified as an incorrect calculation of buffer size [CWE-131], indicating that the module miscomputes memory boundaries when handling URL data collected for analytics.
Exploitation requires that the BIG-IP system be configured with either an HTTP Analytics profile (with URLs enabled under Collected Entities) or a DoS or Bot Defense profile attached to a virtual server. In addition, the AVR database variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI must be enabled. These variables are not enabled by default, which limits the exposed attack surface.
Root Cause
The root cause is an incorrect buffer size calculation within the AVR URL collection logic. When the DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled, TMM processes the URI in a way that exceeds intended memory bounds for certain request inputs, causing the process to terminate.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. A remote attacker sends crafted HTTP requests to a virtual server that has a vulnerable profile attached. The malformed URI triggers the buffer size miscalculation inside TMM, causing termination and disruption of proxied traffic. No confidentiality or integrity impact is reported, but availability impact is high.
See the F5 Security Article K000137334 for the authoritative technical description.
Detection Methods for CVE-2024-23805
Indicators of Compromise
- Unexpected TMM process termination or restarts recorded in /var/log/ltm and /var/log/tmm on BIG-IP systems.
- Sudden loss of connectivity or dropped sessions across virtual servers using AVR, DoS, or Bot Defense profiles.
- Core dump files generated by TMM shortly after receiving external HTTP requests.
Detection Strategies
- Inventory all BIG-IP virtual servers and identify those with HTTP Analytics, DoS, or Bot Defense profiles attached.
- Audit AVR database variables using tmsh list sys db avr.IncludeServerInURI and tmsh list sys db avr.CollectOnlyHostnameFromURI to determine exposure.
- Correlate TMM crash events with inbound HTTP request patterns to spot exploitation attempts.
Monitoring Recommendations
- Forward BIG-IP system logs and TMM crash telemetry to a centralized SIEM for correlation and alerting.
- Monitor virtual server availability and TMM uptime metrics via iHealth or SNMP for anomalous restarts.
- Track HTTP request anomalies targeting virtual servers with AVR-enabled analytics profiles.
How to Mitigate CVE-2024-23805
Immediate Actions Required
- Apply the fixed BIG-IP software versions listed in F5 Security Article K000137334.
- Verify whether avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled and disable them if not required.
- Review virtual server configurations to identify attached HTTP Analytics, DoS, and Bot Defense profiles.
Patch Information
F5 has published remediation guidance in F5 Security Article K000137334. Administrators should upgrade to a fixed release for BIG-IP Advanced WAF and ASM. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to a supported branch.
Workarounds
- Disable the AVR DB variables avr.IncludeServerInURI and avr.CollectOnlyHostnameFromURI if they are not required for analytics needs.
- Remove the URLs option under Collected Entities in the HTTP Analytics profile where feasible.
- Restrict network exposure of vulnerable virtual servers using upstream access controls until patches are applied.
# Check and disable the affected AVR DB variables via tmsh
tmsh list sys db avr.IncludeServerInURI
tmsh list sys db avr.CollectOnlyHostnameFromURI
tmsh modify sys db avr.IncludeServerInURI value disable
tmsh modify sys db avr.CollectOnlyHostnameFromURI value disable
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

