ID

VAR-202109-0787


CVE

CVE-2021-23049


TITLE

plural  F5 Networks  Product resource exhaustion vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-011976

DESCRIPTION

On BIG-IP version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3, when the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. plural F5 Networks The product contains a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. F5 BIG-IP has a security vulnerability. The vulnerability stems from the ability to modify and increase the request or response body size when using decompressors, json transcoders, grpc web, or other proprietary extensions. An attacker could exploit this vulnerability to read invalid memory and cause a crash, resulting in a denial of service

Trust: 1.8

sources: NVD: CVE-2021-23049 // JVNDB: JVNDB-2021-011976 // VULHUB: VHN-381535 // VULMON: CVE-2021-23049

AFFECTED PRODUCTS

vendor:f5model:big-ip access policy managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:16.0.1.2

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip link controllerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application security managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip global traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced firewall managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip analyticsscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced web application firewallscope: - version: -

Trust: 0.8

vendor:f5model:big-ip local traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application acceleration managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope: - version: -

Trust: 0.8

vendor:f5model:big-ip domain name systemscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-011976 // NVD: CVE-2021-23049

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-23049
value: HIGH

Trust: 1.0

NVD: CVE-2021-23049
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202108-2294
value: HIGH

Trust: 0.6

VULHUB: VHN-381535
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-23049
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-23049
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-381535
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-23049
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-23049
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-381535 // VULMON: CVE-2021-23049 // CNNVD: CNNVD-202108-2294 // JVNDB: JVNDB-2021-011976 // NVD: CVE-2021-23049

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.1

problemtype:Resource exhaustion (CWE-400) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-381535 // JVNDB: JVNDB-2021-011976 // NVD: CVE-2021-23049

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-2294

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202108-2294

PATCH

title:K65397301url:https://support.f5.com/csp/article/K65397301

Trust: 0.8

title:F5 BIG-IP Remediation of resource management error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=163748

Trust: 0.6

sources: CNNVD: CNNVD-202108-2294 // JVNDB: JVNDB-2021-011976

EXTERNAL IDS

db:NVDid:CVE-2021-23049

Trust: 3.4

db:JVNDBid:JVNDB-2021-011976

Trust: 0.8

db:CNNVDid:CNNVD-202108-2294

Trust: 0.7

db:AUSCERTid:ESB-2021.2867

Trust: 0.6

db:VULHUBid:VHN-381535

Trust: 0.1

db:VULMONid:CVE-2021-23049

Trust: 0.1

sources: VULHUB: VHN-381535 // VULMON: CVE-2021-23049 // CNNVD: CNNVD-202108-2294 // JVNDB: JVNDB-2021-011976 // NVD: CVE-2021-23049

REFERENCES

url:https://support.f5.com/csp/article/k65397301

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-23049

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2021.2867

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-memory-leak-via-irules-resolver-summarize-36205

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/400.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-381535 // VULMON: CVE-2021-23049 // CNNVD: CNNVD-202108-2294 // JVNDB: JVNDB-2021-011976 // NVD: CVE-2021-23049

SOURCES

db:VULHUBid:VHN-381535
db:VULMONid:CVE-2021-23049
db:CNNVDid:CNNVD-202108-2294
db:JVNDBid:JVNDB-2021-011976
db:NVDid:CVE-2021-23049

LAST UPDATE DATE

2026-06-19T23:07:38.783000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-381535date:2021-09-24T00:00:00
db:VULMONid:CVE-2021-23049date:2021-09-24T00:00:00
db:CNNVDid:CNNVD-202108-2294date:2021-09-26T00:00:00
db:JVNDBid:JVNDB-2021-011976date:2022-08-19T04:41:00
db:NVDid:CVE-2021-23049date:2026-06-17T03:38:16.760

SOURCES RELEASE DATE

db:VULHUBid:VHN-381535date:2021-09-14T00:00:00
db:VULMONid:CVE-2021-23049date:2021-09-14T00:00:00
db:CNNVDid:CNNVD-202108-2294date:2021-08-24T00:00:00
db:JVNDBid:JVNDB-2021-011976date:2022-08-19T00:00:00
db:NVDid:CVE-2021-23049date:2021-09-14T13:15:11.033