cve-2023-22302
Vulnerability from cvelistv5
Published
2023-02-01 17:53
Modified
2025-03-26 15:58
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker’s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
References
f5sirt@f5.comhttps://my.f5.com/manage/s/article/K58550078Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://my.f5.com/manage/s/article/K58550078Vendor Advisory
Impacted products
Vendor Product Version
F5 BIG-IP Version: 17.0.0   
Version: 16.1.2.2   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T10:07:05.929Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://my.f5.com/manage/s/article/K58550078",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-22302",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-03-26T15:57:36.687331Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-03-26T15:58:24.750Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unknown",
               modules: [
                  "All modules",
               ],
               product: "BIG-IP",
               vendor: "F5",
               versions: [
                  {
                     lessThan: "17.0.0.2",
                     status: "affected",
                     version: "17.0.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "16.1.3.3",
                     status: "affected",
                     version: "16.1.2.2",
                     versionType: "semver",
                  },
               ],
            },
         ],
         datePublic: "2023-02-01T15:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker’s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.<br>",
                  },
               ],
               value: "In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker’s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-772",
                     description: "CWE-772 Missing Release of Resource after Effective Lifetime",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-02-01T17:53:19.320Z",
            orgId: "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            shortName: "f5",
         },
         references: [
            {
               url: "https://my.f5.com/manage/s/article/K58550078",
            },
         ],
         source: {
            discovery: "INTERNAL",
         },
         title: "BIG-IP HTTP profile vulnerability",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
      assignerShortName: "f5",
      cveId: "CVE-2023-22302",
      datePublished: "2023-02-01T17:53:19.320Z",
      dateReserved: "2023-01-13T06:43:46.174Z",
      dateUpdated: "2025-03-26T15:58:24.750Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2023-22302\",\"sourceIdentifier\":\"f5sirt@f5.com\",\"published\":\"2023-02-01T18:15:10.820\",\"lastModified\":\"2024-11-21T07:44:29.253\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker’s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-772\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-772\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"3B18C60C-27E7-4258-83B9-6972562E788B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"E84986CC-EF54-4404-B559-3FF946C67BB0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"0C2BE12E-5276-4589-9233-8B34501650B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"4D73AB87-F4A4-47D5-A21E-BB1330454634\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"51E21925-F4CE-4205-A217-18E5BE0C75AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"A2E0F084-A550-40EC-A106-D869DDA96546\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"B76DADBB-44CE-4729-B2C6-092C339EC7F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"7E9D2DF2-F179-4F04-AB09-1BEAD56248A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"264B4CF6-E013-46E6-A6FA-58B7D8A4A26A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"FD5FB958-EDC9-4D39-AE1E-9E77FB5437B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"CE7B7358-8E75-4070-A426-8D883B25E384\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"33C4B785-93AC-4316-BDA1-D173520306E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"F09EA8D1-1230-44E0-8AD7-2EF57C335C80\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"93721140-2035-4431-BF5F-CA0C78BBFE53\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"63F2F61C-D9E2-4968-A854-FA802D96656F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"1FACDA44-7199-47C7-A0C6-1728B46CC6AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"065979A9-63DB-4DEB-A0A7-454733EFC45F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"1ED20421-3E21-40B8-B1FB-68F910F543F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"0941C38C-2BF4-4532-A4E2-4549823026A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"5FAB540A-6082-4F6E-9CDE-0AB719B1001F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"8A23C109-279D-4015-9EBD-47D54DDEA0D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"AE38066A-9FAF-46E6-B3F8-1473D64EE122\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.2.2\",\"versionEndExcluding\":\"16.1.3.3\",\"matchCriteriaId\":\"B9E33213-C376-4CFF-9156-80FDBC945ABC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.0.2\",\"matchCriteriaId\":\"68A413B5-6809-4FB3-BAEC-5EF1FDF201B0\"}]}]}],\"references\":[{\"url\":\"https://my.f5.com/manage/s/article/K58550078\",\"source\":\"f5sirt@f5.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://my.f5.com/manage/s/article/K58550078\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://my.f5.com/manage/s/article/K58550078\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T10:07:05.929Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-22302\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-26T15:57:36.687331Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-26T15:57:43.913Z\"}}], \"cna\": {\"title\": \"BIG-IP HTTP profile vulnerability\", \"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"F5\", \"modules\": [\"All modules\"], \"product\": \"BIG-IP\", \"versions\": [{\"status\": \"affected\", \"version\": \"17.0.0\", \"lessThan\": \"17.0.0.2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"16.1.2.2\", \"lessThan\": \"16.1.3.3\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2023-02-01T15:00:00.000Z\", \"references\": [{\"url\": \"https://my.f5.com/manage/s/article/K58550078\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker\\u2019s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker\\u2019s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.<br>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-772\", \"description\": \"CWE-772 Missing Release of Resource after Effective Lifetime\"}]}], \"providerMetadata\": {\"orgId\": \"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab\", \"shortName\": \"f5\", \"dateUpdated\": \"2023-02-01T17:53:19.320Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2023-22302\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-26T15:58:24.750Z\", \"dateReserved\": \"2023-01-13T06:43:46.174Z\", \"assignerOrgId\": \"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab\", \"datePublished\": \"2023-02-01T17:53:19.320Z\", \"assignerShortName\": \"f5\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.