CVE-2022-41833
First published: Wed Oct 19 2022(Updated: )
In all BIG-IP 13.1.x versions, when an iRule containing the HTTP::collect command is configured on a virtual server, undisclosed requests can cause Traffic Management Microkernel (TMM) to terminate.
Credit: f5sirt@f5.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| F5 BIG-IP Access Policy Manager | >=13.1.0<=13.1.5 | |
| F5 BIG-IP Advanced Firewall Manager | >=13.1.0<=13.1.5 | |
| F5 BIG-IP Analytics | >=13.1.0<=13.1.5 | |
| F5 Big-ip Application Acceleration Manager | >=13.1.0<=13.1.5 | |
| F5 BIG-IP Application Security Manager | >=13.1.0<=13.1.5 | |
| F5 Big-ip Domain Name System | >=13.1.0<=13.1.5 | |
| F5 Big-ip Fraud Protection Service | >=13.1.0<=13.1.5 | |
| F5 Big-ip Global Traffic Manager | >=13.1.0<=13.1.5 | |
| F5 Big-ip Link Controller | >=13.1.0<=13.1.5 | |
| F5 Big-ip Local Traffic Manager | >=13.1.0<=13.1.5 | |
| F5 Big-ip Policy Enforcement Manager | >=13.1.0<=13.1.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-41833?
CVE-2022-41833 is a vulnerability found in all BIG-IP 13.1.x versions that can cause Traffic Management Microkernel (TMM) to terminate when an iRule containing the HTTP::collect command is configured on a virtual server.
Which software versions are affected by CVE-2022-41833?
CVE-2022-41833 affects all BIG-IP 13.1.x versions between 13.1.0 and 13.1.5, including F5 BIG-IP Access Policy Manager, Advanced Firewall Manager, Analytics, Application Acceleration Manager, Application Security Manager, Domain Name System, Fraud Protection Service, Global Traffic Manager, Link Controller, Local Traffic Manager, and Policy Enforcement Manager.
How severe is CVE-2022-41833?
CVE-2022-41833 has a severity rating of 7.5 (High).
What is the Common Weakness Enumeration (CWE) ID for CVE-2022-41833?
The Common Weakness Enumeration (CWE) ID for CVE-2022-41833 is 400.
How can I fix CVE-2022-41833?
To fix CVE-2022-41833, upgrade to a version of BIG-IP that is not affected by this vulnerability or apply the necessary patches provided by F5 Networks.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/author
- vendor/f5
- canonical/f5 big-ip access policy manager
- version/f5 big-ip access policy manager/13.1.0
- version/f5 big-ip access policy manager/13.1.5
- canonical/f5 big-ip advanced firewall manager
- version/f5 big-ip advanced firewall manager/13.1.0
- version/f5 big-ip advanced firewall manager/13.1.5
- canonical/f5 big-ip analytics
- version/f5 big-ip analytics/13.1.0
- version/f5 big-ip analytics/13.1.5
- canonical/f5 big-ip application acceleration manager
- version/f5 big-ip application acceleration manager/13.1.0
- version/f5 big-ip application acceleration manager/13.1.5
- canonical/f5 big-ip application security manager
- version/f5 big-ip application security manager/13.1.0
- version/f5 big-ip application security manager/13.1.5
- canonical/f5 big-ip domain name system
- version/f5 big-ip domain name system/13.1.0
- version/f5 big-ip domain name system/13.1.5
- canonical/f5 big-ip fraud protection service
- version/f5 big-ip fraud protection service/13.1.0
- version/f5 big-ip fraud protection service/13.1.5
- canonical/f5 big-ip global traffic manager
- version/f5 big-ip global traffic manager/13.1.0
- version/f5 big-ip global traffic manager/13.1.5
- canonical/f5 big-ip link controller
- version/f5 big-ip link controller/13.1.0
- version/f5 big-ip link controller/13.1.5
- canonical/f5 big-ip local traffic manager
- version/f5 big-ip local traffic manager/13.1.0
- version/f5 big-ip local traffic manager/13.1.5
- canonical/f5 big-ip policy enforcement manager
- version/f5 big-ip policy enforcement manager/13.1.0
- version/f5 big-ip policy enforcement manager/13.1.5