CVE-2022-23012

On BIG-IP versions 15.1.x before 15.1.4.1 and 14.1.x before 14.1.4.5, when the HTTP/2 profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Weakness

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

Affected Software

Name	Vendor	Start Version	End Version
Big-ip_access_policy_manager	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_access_policy_manager	F5	15.1.0 (including)	15.1.4.1 (excluding)
Big-ip_advanced_firewall_manager	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_advanced_firewall_manager	F5	15.1.0 (including)	15.1.4.1 (excluding)
Big-ip_analytics	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_analytics	F5	15.1.0 (including)	15.1.4.1 (excluding)
Big-ip_application_acceleration_manager	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_application_acceleration_manager	F5	15.1.0 (including)	15.1.4.1 (excluding)
Big-ip_application_security_manager	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_application_security_manager	F5	15.1.0 (including)	15.1.4.1 (excluding)
Big-ip_domain_name_system	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_domain_name_system	F5	15.1.0 (including)	15.1.4.1 (excluding)
Big-ip_fraud_protection_service	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_fraud_protection_service	F5	15.1.0 (including)	15.1.4.1 (excluding)
Big-ip_global_traffic_manager	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_global_traffic_manager	F5	15.1.0 (including)	15.1.4.1 (excluding)
Big-ip_link_controller	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_link_controller	F5	15.1.0 (including)	15.1.4.1 (excluding)
Big-ip_local_traffic_manager	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_local_traffic_manager	F5	15.1.0 (including)	15.1.4.1 (excluding)
Big-ip_policy_enforcement_manager	F5	14.1.0 (including)	14.1.4.5 (excluding)
Big-ip_policy_enforcement_manager	F5	15.1.0 (including)	15.1.4.1 (excluding)

Potential Mitigations

References

https://support.f5.com/csp/article/K26310765

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-23012
CWE	https://cwe.mitre.org/data/definitions/415.html

Double Free

Weakness

Affected Software

Potential Mitigations

References