Malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default “Normalize URI” configuration options used in iRules and/or BIG-IP LTM policies. (CVE-2016-9245)
Impact
An attacker may be able to disrupt traffic or cause the BIG-IP system to fail over to another device in the device group. This vulnerability affects systems with any of the following configurations:
The following example configuration snippet shows the local traffic policy affected by this vulnerability:
ltm policy /Common/K22216037 {
requires { http }
rules {
vulnerable {
conditions {
0 {
http-uri
path
normalized
values { /exploitable }
}
}
}
}
strategy /Common/first-match
}
For example:
when HTTP_REQUEST {
if { ([HTTP::uri -normalized] starts_with “/exploitable”)} {
log local0.error “K22216037 URI example”
} elseif { ([HTTP::query -normalized] starts_with “/exploitable”)} {
log local0.error “K22216037 Query example”
} elseif { ([HTTP::path -normalized] starts_with “/exploitable”)} {
log local0.error “K22216037 Path example”
}
}
CPE | Name | Operator | Version |
---|---|---|---|
big-ip afm | eq | 11.4.0 | |
big-ip afm | eq | 11.4.1 | |
big-ip afm | eq | 11.5.0 | |
big-ip afm | eq | 11.5.1 | |
big-ip afm | eq | 11.5.2 | |
big-ip afm | eq | 11.5.3 | |
big-ip afm | eq | 11.5.4 | |
big-ip afm | eq | 11.6.0 | |
big-ip afm | eq | 11.6.1 | |
big-ip afm | eq | 12.0.0 |