CVE intelligence and bounded remediation
CVE-2018-5509 — F5 Big-Ip Access Policy Manager security vulnerability
On F5 BIG-IP versions 13.0.0 or 12.1.0 - 12.1.3.1, when a specifically configured virtual server receives traffic of an undisclosed nature, TMM will crash and take the configured failover action, potentially causing a denial of service. The configuration which exposes this issue is not common and in general does not work when enabled in previous versions of BIG-IP. Starting in 12.1.0, BIG-IP will crash if the configuration which exposes this issue is enabled and the virtual server receives non TCP traffic. With the fix of this issue, additional configuration validation logic has been added to prevent this configuration from being applied to a virtual server. There is only data plane exposure to this issue with a non-standard configuration. There is no control plane exposure.
- Severity
- High
- CVSS
- 7.8 (2.0)
- Published
- 2018-03-22
- CISA KEV
- Not currently listed
- Ecosystem
- software/application
- Weaknesses
- CWE-20
Affected products
- f5 / big-ip_access_policy_manager
- f5 / big-ip_advanced_firewall_manager
- f5 / big-ip_application_acceleration_manager
- f5 / big-ip_application_security_manager
- f5 / big-ip_link_controller
- f5 / big-ip_local_traffic_manager
Matched remediation archetype
Resource exhaustion and denial of service
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Identify attacker-influenced work factors including input size, nesting, compression, fan-out, regex cost, allocation, recursion, retries, and connection lifetime.
- Map per-request and shared CPU, memory, disk, descriptor, thread, queue, and downstream-service limits.
- Determine whether authentication, tenancy, quotas, and rate controls apply before expensive processing begins.
Remediate safely
- Bound input size, nesting, expansion, work, concurrency, queue depth, retries, and execution time before resource-intensive processing.
- Release resources on every success, error, cancellation, and timeout path and use backpressure instead of unbounded buffering.
- Update affected components and add small deterministic tests that assert resource ceilings rather than exhausting a host.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.