CVE-2022-41833 An iRule containing the HTTP::collect command can cause TMM to terminate.

In certain situations, TMM might issue a TCP RST back to the client, causing the client to send a retry back to the client. This process repeats until the client times out. A similar issue occurs when a client sends a large number of TCP SYN packets to a server. After the server receives a large number of SYN packets, TMM might issue a TCP RST back to the client. This process repeats until the client times out. The following iRules can cause these scenarios: iRule Command Purpose HTTP::collect /server-status Collects server status information from the server. The information is written to the iRule’s client session. end if {!http_command} If the client sent a command other than GET or HEAD, then issue a TCP RST. end if {!http_command} If the client sent a command other if GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if

Mitigation

Mitigation of TCP RST issue:

iRule Command Purpose HTTP::collect /server-status Collects server status information from the server. The information is written to the iRule’s client session. end if {!http_command} If the client sent a command other than GET or HEAD, then issue a TCP RST. end if {!http_command} If the client sent a command other if GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if

Mitigation for large number of SYN packets:

Workaround

If the client sent a request other than GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if {!http_request} If the client sent a request other than GET or HEAD, then issue a TCP RST. end if

Timeline

Published on: 10/19/2022 22:15:00 UTC
Last modified on: 10/24/2022 15:46:00 UTC

References