Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1001
sol15341: BIG-IP ASM Virtual Edition may run out of memory
under certain DoS conditions
19 June 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 BIG-IP ASM
Publisher: F5
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15341.html
- --------------------------BEGIN INCLUDED TEXT--------------------
sol15341: BIG-IP ASM Virtual Edition may run out of memory under certain DoS
conditions
Security Advisory
Original Publication Date: 06/17/2014
Description
The BIG-IP ASM system limits the maximum number of concurrent requests with
large payloads (10,000 bytes or larger) by default to 100, using the
max_concurrent_long_request internal parameter. The BIG-IP ASM system drops
new requests with large payloads once this limit is reached.
The maximum individual request length supported by the system is set by the
long_request_buffer_size internal parameter, which defaults to 10 MB. The
number of concurrent large requests the system can process is therefore
dependent on the available memory in the system's memory pools. The maximum
amount of memory available for memory pools for a BIG-IP ASM Virtual Edition
(VE) guest provisioned with 4 GB of memory is limited to 700 MB by default.
If BIG-IP ASM VE receives many large requests, it is possible for the system
to run out of memory.
Impact
The BIG-IP ASM enabled virtual servers stop responding until the BIG-IP ASM
service is restarted.
Status
F5 Product Development tracked this vulnerability as ID 445508, and has
evaluated the currently supported releases for potential vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP ASM 11.2.1 - 11.5.0 11.5.1 BIG-IP Virtual Edition
11.5.0 HF1
11.4.1 HF4
11.4.0 HF6
11.0.0 - 11.2.0
10.0.0 - 10.2.4
Recommended action
To eliminate this vulnerability, upgrade to a version that is listed in the
Versions known to be not vulnerable column in the previous table.
To mitigate this vulnerability, you can perform one or more of the following
procedures, depending on the traffic characteristics of the site. To do so,
perform the following procedures:
Note: For maximum effect, appropriate parameter values may need to be
determined empirically, depending on the traffic characteristics of a given
site.
Increasing the memory provisioning to the BIG-IP ASM VE guest
Increasing the memory allocation to the system's memory pools
Decreasing the value of the long_request_buffer_size internal parameter
Decreasing the value of the max_concurrent_long_request internal parameter
Increasing the memory provisioning to the BIG-IP ASM VE guest
Provisioning more memory to the BIG-IP ASM VE guest will increase the default
memory allocation for the system's memory pool, thereby decreasing the chances
of running out of memory. For example, increasing the memory from 4 GB to 8 GB
roughly doubles the available memory for the memory pools. To increase the
memory provisioning for the BIG-IP ASM VE guest, see the manufacturer's
documentation for the hosting hypervisor system.
Impact of action: Performing the following procedure should not have a negative
impact on your system.
Increasing the memory allocation to the system's memory pools
You can increase the memory allocation to the system's memory pool by
increasing the value of the total_umu_max_size internal variable. For a 4 GB
guest system, you should be able to increase this value to 1,500,000 kilobytes.
To do so, perform the following procedure:
Impact of action: Allocating too much memory to the memory pools may have a
negative impact on the other ASM components. You must restart the BIG-IP ASM
service, which will cause a brief service interruption.
Log in to the BIG-IP Configuration utility.
Navigate to Security > Options > Application Security > Advanced
Configuration > System Variables.
Increase the value of the total_umu_max_size parameter in kilobytes.
Click Save.
Note: The default value is 0, which allocates the maximum amount of
available memory. The maximum amount of memory for a 4 GB guest is 700 MB.
Restart the BIG-IP ASM service by typing the following command:
tmsh restart /sys service asm
Decreasing the value of the long_request_buffer_size internal parameter
Decreasing the value of the long_request_buffer_size reduces the memory used
for each large request. Depending on the traffic characteristics, you can
usually decrease this value to between 500,000 bytes and 1,000,000 bytes. To
decrease this value, perform the following procedure:
Impact of action: You must restart the BIG-IP ASM service, which will cause a
brief service interruption.
Log in to the BIG-IP configuration utility.
Navigate to Security > Options > Application Security > Advanced
Configuration > System Variables
Decrease the value of the long_request_buffer_size parameter in bytes.
Click Save.
Restart the BIG-IP ASM service by typing the following command:
tmsh restart /sys service asm
Decreasing the value of the max_concurrent_long_request internal parameter
Decreasing the value of the max_concurrent_long_request parameter limits how
many concurrent large requests are allowed before the BIG-IP ASM begins
dropping them. Depending on traffic characteristics, this may need to be
lowered to as little as 7 on a 4 GB guest. To decrease this value, perform the
following procedure:
Impact of action: You must restart the BIG-IP ASM service, which will cause a
brief service interruption.
Log in to the BIG-IP Configuration utility.
Navigate to Security > Options > Application Security > Advanced
Configuration > System Variables.
Decrease the value of the max_concurrent_long_request parameter.
Click Save.
Restart the BIG-IP ASM service by typing the following command:
tmsh restart /sys service asm
Supplemental Information
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents.
SOL4602: Overview of the F5 security vulnerability response policy
SOL4918: Overview of the F5 critical issue hotfix policy
SOL167: Downloading software and firmware from F5
SOL13123: Managing BIG-IP product hotfixes (11.x)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU6JyrBLndAQH1ShLAQIS4w//VPE0DhkWht9YmQXzlSZNo8YGYuo/NAdP
e7lEwJRT4OjdFaP0FSD6xrZjQLtY3xO+v8Vt0GfE5E/gidA2LBbf2c5+K7WzxHvB
lrBp/dCzEFtSBE0UspKrxw5V1iWOIjhUsXrWMuOiCl2WzzwGSCofQyBISEVcm1iK
+BORzYNLmR+yGL2UTt13cpCtpRQfkRgUUsuYbzjSW+BAuWOKO9He6Es8To69w+tJ
0irBmUZ4ZMbzTMHmLdpr3mSK5x7jNJR28RrxsWPfErHA+q+cNikg/TK/nUmdjkZw
asi0k8zDabdJidOVXf09cJ7b/eMrZ7IE3PnU+hYfBfqY0SV1M7HVsT95qCRdn5f1
y3cMaLHxp1l7H7Wk4PpnyfJd8hUiCA1iQF7/NVqo/EQaUbvp44LuSVtd1rWK1ljE
q1CLbeNpnC1HyTkZDGX1OlLXqtoEwiGxc5uwmwHl/IKIbbq7TSKXOz6mVcEPv0BT
ucs5PpVf4FE25YnaUfRME91MQ7FdNawSt/Ud/79v/uRpQUaGkZPuTYYo/IKBsrys
Rv9XHKpl+s64mkaKS1kXbduSv1DG47n4VY38K4e8SuxArx7dtXuBxMfeZagwaqfU
zfDsuLD1mMxNpAqSWi3W5g2+uy/cHtCfua/rv+tMxzGMD48+jbITjzn9MDt9MsQK
1zW7aCJ6urQ=
=WYPx
-----END PGP SIGNATURE-----