F5 BIG-IP Configuration Utility Denial-of-Service Vulnerability via LDAP Authentication

A denial-of-service vulnerability has been identified in the F5 BIG-IP Configuration utility when it is set to use Lightweight Directory Access Protocol (LDAP) authentication. Undisclosed traffic can lead to the httpd process exhausting available file descriptors, causing the Configuration utility to become unresponsive until the httpd process is restarted. This issue affects BIG-IP versions 21.0.0, 17.5.0 through 17.5.1, and 17.1.0 through 17.1.3, as well as all 16.x versions. BIG-IQ Centralized Management, F5 Distributed Cloud services, and NGINX One Console are not vulnerable.

Impact

Exploitation of this vulnerability causes the BIG-IP Configuration utility to stop responding, leading to a denial-of-service condition that requires manual intervention to resolve.

Remediation

Users can upgrade to BIG-IP versions 21.0.0.2, 17.5.1.6, or 17.1.3.2 to address this vulnerability. Until a fixed version is installed, access to the Configuration utility can be restricted to trusted networks or devices. For more information on managing BIG-IP product hotfixes, refer to the F5 article K13123.