F5 BIG-IP Client SSL Profile Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in F5 BIG-IP systems when a Client SSL profile is used on a virtual server with SSL Forward Proxy and Anonymous Diffie-Hellman (ADH) ciphers enabled. Under these conditions, certain undisclosed requests can cause the Traffic Management Microkernel (TMM) to crash, disrupting traffic until the process restarts. This issue affects BIG-IP versions 15.1.0 through 15.1.10, 16.1.0 through 16.1.5, and 17.1.0 through 17.1.2, excluding those that have reached End of Technical Support.

Impact

Exploiting this vulnerability leads to a denial-of-service condition, causing the TMM process to terminate and disrupt traffic management on the BIG-IP system.

Remediation

To address this vulnerability, users should upgrade to BIG-IP versions 17.1.2.2 or 16.1.6. For those on the 15.x branch, no update is available, but upgrading to a version with the fix is recommended. Additionally, avoid using ADH ciphers in production and ensure they are disabled in custom cipher configurations. For more information on managing BIG-IP product hotfixes, consult the F5 support article K13123.