Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1001 sol15341: BIG-IP ASM Virtual Edition may run out of memory under certain DoS conditions 19 June 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP ASM Publisher: F5 Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15341.html - --------------------------BEGIN INCLUDED TEXT-------------------- sol15341: BIG-IP ASM Virtual Edition may run out of memory under certain DoS conditions Security Advisory Original Publication Date: 06/17/2014 Description The BIG-IP ASM system limits the maximum number of concurrent requests with large payloads (10,000 bytes or larger) by default to 100, using the max_concurrent_long_request internal parameter. The BIG-IP ASM system drops new requests with large payloads once this limit is reached. The maximum individual request length supported by the system is set by the long_request_buffer_size internal parameter, which defaults to 10 MB. The number of concurrent large requests the system can process is therefore dependent on the available memory in the system's memory pools. The maximum amount of memory available for memory pools for a BIG-IP ASM Virtual Edition (VE) guest provisioned with 4 GB of memory is limited to 700 MB by default. If BIG-IP ASM VE receives many large requests, it is possible for the system to run out of memory. Impact The BIG-IP ASM enabled virtual servers stop responding until the BIG-IP ASM service is restarted. Status F5 Product Development tracked this vulnerability as ID 445508, and has evaluated the currently supported releases for potential vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature BIG-IP ASM 11.2.1 - 11.5.0 11.5.1 BIG-IP Virtual Edition 11.5.0 HF1 11.4.1 HF4 11.4.0 HF6 11.0.0 - 11.2.0 10.0.0 - 10.2.4 Recommended action To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. To mitigate this vulnerability, you can perform one or more of the following procedures, depending on the traffic characteristics of the site. To do so, perform the following procedures: Note: For maximum effect, appropriate parameter values may need to be determined empirically, depending on the traffic characteristics of a given site. Increasing the memory provisioning to the BIG-IP ASM VE guest Increasing the memory allocation to the system's memory pools Decreasing the value of the long_request_buffer_size internal parameter Decreasing the value of the max_concurrent_long_request internal parameter Increasing the memory provisioning to the BIG-IP ASM VE guest Provisioning more memory to the BIG-IP ASM VE guest will increase the default memory allocation for the system's memory pool, thereby decreasing the chances of running out of memory. For example, increasing the memory from 4 GB to 8 GB roughly doubles the available memory for the memory pools. To increase the memory provisioning for the BIG-IP ASM VE guest, see the manufacturer's documentation for the hosting hypervisor system. Impact of action: Performing the following procedure should not have a negative impact on your system. Increasing the memory allocation to the system's memory pools You can increase the memory allocation to the system's memory pool by increasing the value of the total_umu_max_size internal variable. For a 4 GB guest system, you should be able to increase this value to 1,500,000 kilobytes. To do so, perform the following procedure: Impact of action: Allocating too much memory to the memory pools may have a negative impact on the other ASM components. You must restart the BIG-IP ASM service, which will cause a brief service interruption. Log in to the BIG-IP Configuration utility. Navigate to Security > Options > Application Security > Advanced Configuration > System Variables. Increase the value of the total_umu_max_size parameter in kilobytes. Click Save. Note: The default value is 0, which allocates the maximum amount of available memory. The maximum amount of memory for a 4 GB guest is 700 MB. Restart the BIG-IP ASM service by typing the following command: tmsh restart /sys service asm Decreasing the value of the long_request_buffer_size internal parameter Decreasing the value of the long_request_buffer_size reduces the memory used for each large request. Depending on the traffic characteristics, you can usually decrease this value to between 500,000 bytes and 1,000,000 bytes. To decrease this value, perform the following procedure: Impact of action: You must restart the BIG-IP ASM service, which will cause a brief service interruption. Log in to the BIG-IP configuration utility. Navigate to Security > Options > Application Security > Advanced Configuration > System Variables Decrease the value of the long_request_buffer_size parameter in bytes. Click Save. Restart the BIG-IP ASM service by typing the following command: tmsh restart /sys service asm Decreasing the value of the max_concurrent_long_request internal parameter Decreasing the value of the max_concurrent_long_request parameter limits how many concurrent large requests are allowed before the BIG-IP ASM begins dropping them. Depending on traffic characteristics, this may need to be lowered to as little as 7 on a 4 GB guest. To decrease this value, perform the following procedure: Impact of action: You must restart the BIG-IP ASM service, which will cause a brief service interruption. Log in to the BIG-IP Configuration utility. Navigate to Security > Options > Application Security > Advanced Configuration > System Variables. Decrease the value of the max_concurrent_long_request parameter. Click Save. Restart the BIG-IP ASM service by typing the following command: tmsh restart /sys service asm Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents. SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5 critical issue hotfix policy SOL167: Downloading software and firmware from F5 SOL13123: Managing BIG-IP product hotfixes (11.x) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU6JyrBLndAQH1ShLAQIS4w//VPE0DhkWht9YmQXzlSZNo8YGYuo/NAdP e7lEwJRT4OjdFaP0FSD6xrZjQLtY3xO+v8Vt0GfE5E/gidA2LBbf2c5+K7WzxHvB lrBp/dCzEFtSBE0UspKrxw5V1iWOIjhUsXrWMuOiCl2WzzwGSCofQyBISEVcm1iK +BORzYNLmR+yGL2UTt13cpCtpRQfkRgUUsuYbzjSW+BAuWOKO9He6Es8To69w+tJ 0irBmUZ4ZMbzTMHmLdpr3mSK5x7jNJR28RrxsWPfErHA+q+cNikg/TK/nUmdjkZw asi0k8zDabdJidOVXf09cJ7b/eMrZ7IE3PnU+hYfBfqY0SV1M7HVsT95qCRdn5f1 y3cMaLHxp1l7H7Wk4PpnyfJd8hUiCA1iQF7/NVqo/EQaUbvp44LuSVtd1rWK1ljE q1CLbeNpnC1HyTkZDGX1OlLXqtoEwiGxc5uwmwHl/IKIbbq7TSKXOz6mVcEPv0BT ucs5PpVf4FE25YnaUfRME91MQ7FdNawSt/Ud/79v/uRpQUaGkZPuTYYo/IKBsrys Rv9XHKpl+s64mkaKS1kXbduSv1DG47n4VY38K4e8SuxArx7dtXuBxMfeZagwaqfU zfDsuLD1mMxNpAqSWi3W5g2+uy/cHtCfua/rv+tMxzGMD48+jbITjzn9MDt9MsQK 1zW7aCJ6urQ= =WYPx -----END PGP SIGNATURE-----