F5 BIG-IP iRules Memory Resource Exhaustion Vulnerability Leading to Denial-of-Service

A vulnerability exists in F5 BIG-IP when an iRule using the HTTP::respond command is applied to a virtual server. Undisclosed requests can trigger increased memory usage, causing system performance to degrade. This issue can lead to a denial-of-service condition on the BIG-IP system by causing the Traffic Management Microkernel (TMM) process to crash or requiring a manual restart. The vulnerability affects BIG-IP versions 17.1.0 through 17.1.2, 16.1.0 through 16.1.5, and certain 1.x releases of BIG-IP Next SPK, BIG-IP Next CNF, and BIG-IP Next for Kubernetes.

Impact

Exploitation of this vulnerability causes a degradation of service on the BIG-IP system, leading to a denial-of-service condition. The Traffic Management Microkernel (TMM) process either crashes or requires a manual restart, disrupting normal operations.

Remediation

To address this vulnerability, users can upgrade to BIG-IP versions 17.5.0 or 17.1.2.2, or to BIG-IP Next versions 1.4.0-EHF-3. For those using BIG-IP Next SPK, the vulnerability can be mitigated by adding a 'Connection close' header to the affected iRules. This can be done by modifying the iRule to include 'Connection close' at the end of the 'HTTP::respond' command.