F5 BIG-IP Traffic Management Microkernel Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Traffic Management Microkernel (TMM) of F5 BIG-IP Next CNF, BIG-IP Next SPK, and BIG-IP Next for Kubernetes. When an iRule is applied to a virtual server via the declarative API, the subsequent cleanup process can lead to increased memory usage in TMM. This memory buildup can degrade system performance, causing a denial-of-service condition until the process is manually restarted.

Impact

Exploitation of this vulnerability can cause a degradation of system performance, leading to a denial-of-service condition on the affected F5 BIG-IP Next components.

Remediation

To address this vulnerability, users should upgrade to BIG-IP Next SPK 2.0.0, BIG-IP Next CNF 2.1.0, or BIG-IP Next for Kubernetes 2.1.0. For versions 1.x of BIG-IP Next SPK or CNF, no update candidate currently exists, but F5 recommends upgrading to a version with the fix. Additionally, management access to these F5 products should be restricted to trusted users and IP addresses.