F5 BIG-IP APM and SSL Orchestrator Memory Resource Exhaustion Vulnerability

A denial-of-service vulnerability has been identified in F5 BIG-IP systems configured as both SAML service providers and identity providers, with single logout enabled. Undisclosed requests in this configuration can lead to increased memory usage, causing system performance to degrade. This issue affects BIG-IP versions 15.1.0 through 15.1.10, 16.1.0 through 16.1.6, and 17.1.0 through 17.1.2, as well as BIG-IP APM, SSL Orchestrator, and related modules.

Impact

Exploitation of this vulnerability causes a degradation of service, leading to a denial-of-service condition on the BIG-IP system. The issue arises in the data plane, without exposure to the control plane.

Remediation

Users can upgrade to BIG-IP versions 15.1.10.8, 16.1.6.1, or 17.5.1 to address this vulnerability. For more information about managing BIG-IP product hotfixes, refer to the F5 article K13123.