SOL15341 - BIG-IP ASM Virtual Edition may run out of memory under certain DoS conditions

2014-06-17T00:00:00
ID SOL15341
Type f5
Reporter f5
Modified 2016-07-25T00:00:00

Description

Vulnerability Recommended Actions

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table.

To mitigate this vulnerability, you can perform one or more of the following procedures, depending on the traffic characteristics of the site. To do so, perform the following procedures:

Note: For maximum effect, appropriate parameter values may need to be determined empirically, depending on the traffic characteristics of a given site.

  • Increasing the memory provisioning to the BIG-IP ASM VE guest
  • Increasing the memory allocation to the system's memory pools
  • Decreasing the value of the long_request_buffer_size internal parameter
  • Decreasing the value of the max_concurrent_long_request internal parameter

Increasing the memory provisioning to the BIG-IP ASM VE guest

Provisioning more memory to the BIG-IP ASM VE guest will increase the default memory allocation for the system's memory pool, thereby decreasing the chances of running out of memory. For example, increasing the memory from 4 GB to 8 GB roughly doubles the available memory for the memory pools. To increase the memory provisioning for the BIG-IP ASM VE guest, see the manufacturer's documentation for the hosting hypervisor system.

Impact of action: Performing the following procedure should not have a negative impact on your system.

Increasing the memory allocation to the system's memory pools

You can increase the memory allocation to the system's memory pool by increasing the value of the total_umu_max_size internal variable. For a 4 GB guest system, you should be able to increase this value to 1,500,000 kilobytes. To do so, perform the following procedure:

Impact of action: Allocating too much memory to the memory pools may have a negative impact on the other ASM components. You must restart the BIG-IP ASM service, which will cause a brief service interruption.

  1. Log in to the Configuration utility.
  2. Navigate to Security > Options > Application Security > Advanced Configuration > System Variables.
  3. Increase the value of the total_umu_max_size parameter in kilobytes.
  4. Click Save.

Note: The default value is 0, which allocates the maximum amount of available memory. The maximum amount of memory for a 4 GB guest is 700 MB.

  1. Restart the BIG-IP ASM service by typing the following command:

tmsh restart /sys service asm

Decreasing the value of the long_request_buffer_size internal parameter

Decreasing the value of the long_request_buffer_size reduces the memory used for each large request. Depending on the traffic characteristics, you can usually decrease this value to between 500,000 bytes and 1,000,000 bytes. To decrease this value, perform the following procedure:

Impact of action: You must restart the BIG-IP ASM service, which will cause a brief service interruption.

  1. Log in to the Configuration utility.
  2. Navigate to Security > Options > Application Security > Advanced Configuration > System Variables.
  3. Decrease the value of the long_request_buffer_size parameter in bytes.
  4. Click Save.
  5. Restart the BIG-IP ASM service by typing the following command:

tmsh restart /sys service asm

Decreasing the value of the max_concurrent_long_request internal parameter

Decreasing the value of the max_concurrent_long_request parameter limits how many concurrent large requests are allowed before the BIG-IP ASM begins dropping them. Depending on traffic characteristics, this may need to be lowered to as little as 7 on a 4 GB guest. To decrease this value, perform the following procedure:

Impact of action: You must restart the BIG-IP ASM service, which will cause a brief service interruption.

  1. Log in to the Configuration utility.
  2. Navigate to Security > Options > Application Security > Advanced Configuration > System Variables.
  3. Decrease the value of the max_concurrent_long_request parameter.
  4. Click Save.
  5. Restart the BIG-IP ASM service by typing the following command:

tmsh restart /sys service asm

Supplemental Information

  • SOL9970: Subscribing to email notifications regarding F5 products
  • SOL9957: Creating a custom RSS feed to view new and updated documents
  • SOL4602: Overview of the F5 security vulnerability response policy
  • SOL4918: Overview of the F5 critical issue hotfix policy
  • SOL167: Downloading software and firmware from F5
  • SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)