K44553214 : Web application firewall vulnerability CVE-2021-23050

Security Advisory Description

When a cross-site request forgery (CSRF)-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to terminate. (CVE-2021-23050)

Impact

Traffic is disrupted until the bd process restarts. This vulnerability allows a remote attacker to cause a denial-of-service (DoS) on the web application firewall. There is no control plane exposure; this is a data plane issue only. For more information about thebd process, refer to the following articles for your web application firewall product:

• K14020: BIG-IP ASM daemons (11.x - 16.x)
• K10144744: Overview of NGINX App Protect WAF administration

Important: The AWS Container Marketplace and the F5 Docker registry (docker-registry.nginx.com) provide NGINX container images that may also include vulnerable versions of NGINX App Protect. For example, if you are using theNGINX Ingress Controller with NGINX App Protect image from the AWS Container Marketplace, you may be using a vulnerable version of NGINX App Protect. To determine the version of your NGINX products, refer to K72015934: Display the NGINX software version.