F5 BIG-IP Next Products Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in F5 BIG-IP Next CNF, BIG-IP Next SPK, and BIG-IP Next for Kubernetes systems. This issue arises from repeated undisclosed API calls that can cause the Traffic Management Microkernel (TMM) to terminate, disrupting traffic until the TMM process restarts. The vulnerability allows a remote, authenticated attacker to cause this denial-of-service condition. Notably, this is a control plane issue only, with no data plane exposure.

Impact

Exploitation of this vulnerability disrupts traffic management by causing the TMM process to terminate and restart, temporarily interrupting services that rely on TMM for traffic management.

Remediation

To address this vulnerability, users can upgrade to BIG-IP Next SPK 2.1.0, BIG-IP Next CNF 2.1.0, or BIG-IP Next for Kubernetes 2.1.0. For versions 1.x, users should upgrade to the latest available version. Consult the F5 product lifecycle support policy for guidance on version availability.