K66510514 : TMM vulnerability CVE-2022-34862

Security Advisory Description

When an LTM virtual server is configured to perform normalization, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2022-34862)

Impact

This vulnerability affects systems with one or more of the following configurations.

Affected configurations

BIG-IP APM

This vulnerability affects a virtual server associated with a BIG-IP APM profile. All BIG-IP APM use cases are vulnerable.

BIG-IP ASM

This vulnerability affects only BIG-IP ASM Risk Engine use cases. BIG-IP ASM Risk Engine is currently available only to Early Access (EA) customers and requires a special license.

BIG-IP PEM

This vulnerability affects BIG-IP PEM systems that use:

• URL filtering with the Websense database license activated.
• One or more virtual servers that perform URL categorization and use one of the following:
  • An iRule
  • A local traffic policy
  • A BIG-IP PEM policy

Secure Web Gateway

This vulnerability affects all F5 Secure Web Gateway (SWG) use cases. URL categorization is fundamental to the operation of SWG. SWG requires a separate subscription.

SSL Orchestrator

This vulnerability affects all systems that use the SSL Orchestrator Categorization macro.

BIG-IP (all modules)

This vulnerability affects all BIG-IP system modules that use one or more of the following configurations:

• URL filtering with the Websense database license activated.
• A virtual server associated with an HTTP profile and a local traffic policy with a rule condition that has the following options enabled: HTTP URI orHTTP RefererandUse normalized URI.

Note: TheUse normalized URI option is disabled by default.

For more information about HTTP profiles and local traffic policy rules, refer to K40243113: Overview of the HTTP profile and K04597703: Overview of the Local Traffic Policies feature (12.1.0 and later) respectively.

For example, in the following configuration, the local traffic policy is vulnerable:

ltm policy /Common/K56715231 {
requires { http http-connect }
rules {
VULN_RULE01 {
conditions {
0 {

http-uri

proxy-connect

normalized

values { VULN_URI_STRING }

}

}

}

VULN_RULE02 {

conditions {

0 {

http-referer

proxy-connect

normalized

values { VULN_REF_STRING }

}

}

ordinal 1

}

}

strategy /Common/first-match

}

• A virtual server associated with an HTTP profile and an iRule that uses any of the following commands with the -normalized switch:
  • HTTP::uri *HTTP::query *HTTP::path

For example, the following iRule is vulnerable:

when HTTP_REQUEST {
if { ([HTTP::uri -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 URI example”
} elseif { ([HTTP::query -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 Query example”
} elseif { ([HTTP::path -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 Path example”
}
}

Identify whether your system has URL filtering with the Websense database license activated

You can identify whether your BIG-IP system has URL filtering with the Websense database license activated by checking the /var/log/tmm log file during restart. When you have this feature, you see a log entry similar to the following example:

tmm:<13> Apr 18 06:14:15 bigip.local notice URLCAT_LIB: urlcat_websense_license_callback/984: WEBSENSE DB is licensed

This log entry displays only when you set the tmm.lib.urlcat.log.level BIG-IP system database variable toDebug.

Note: If you think your system is compromised, refer to K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system.