CVE-2022-23029

On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Weakness

The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

Affected Software

Name	Vendor	Start Version	End Version
Big-ip_access_policy_manager	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_access_policy_manager	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_access_policy_manager	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_access_policy_manager	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_access_policy_manager	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_advanced_firewall_manager	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_advanced_firewall_manager	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_advanced_firewall_manager	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_advanced_firewall_manager	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_advanced_firewall_manager	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_advanced_web_application_firewall	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_advanced_web_application_firewall	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_advanced_web_application_firewall	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_advanced_web_application_firewall	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_advanced_web_application_firewall	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_analytics	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_analytics	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_analytics	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_analytics	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_analytics	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_application_acceleration_manager	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_application_acceleration_manager	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_application_acceleration_manager	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_application_acceleration_manager	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_application_acceleration_manager	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_application_security_manager	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_application_security_manager	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_application_security_manager	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_application_security_manager	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_application_security_manager	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_ddos_hybrid_defender	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_ddos_hybrid_defender	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_ddos_hybrid_defender	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_ddos_hybrid_defender	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_ddos_hybrid_defender	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_domain_name_system	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_domain_name_system	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_domain_name_system	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_domain_name_system	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_domain_name_system	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_fraud_protection_service	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_fraud_protection_service	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_fraud_protection_service	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_fraud_protection_service	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_fraud_protection_service	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_global_traffic_manager	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_global_traffic_manager	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_global_traffic_manager	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_global_traffic_manager	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_global_traffic_manager	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_link_controller	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_link_controller	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_link_controller	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_link_controller	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_link_controller	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_local_traffic_manager	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_local_traffic_manager	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_local_traffic_manager	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_local_traffic_manager	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_local_traffic_manager	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_policy_enforcement_manager	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_policy_enforcement_manager	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_policy_enforcement_manager	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_policy_enforcement_manager	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_policy_enforcement_manager	F5	15.1.0 (including)	15.1.4 (including)
Big-ip_ssl_orchestrator	F5	11.6.1 (including)	11.6.5 (including)
Big-ip_ssl_orchestrator	F5	12.1.0 (including)	12.1.6 (including)
Big-ip_ssl_orchestrator	F5	13.1.0 (including)	13.1.4 (including)
Big-ip_ssl_orchestrator	F5	14.1.0 (including)	14.1.4 (including)
Big-ip_ssl_orchestrator	F5	15.1.0 (including)	15.1.4 (including)

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-23029
CWE	https://cwe.mitre.org/data/definitions/367.html

Time-of-check Time-of-use (TOCTOU) Race Condition

Weakness

Affected Software

Potential Mitigations

References

CVE-2022-23029

Time-of-check Time-of-use (TOCTOU) Race Condition

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References