CVE-2022-35240 - Improper Resource Shutdown or Release

Severity

75%

Complexity

39%

Confidentiality

60%

In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, and 14.1.x before 14.1.5, when the Message Routing (MR) Message Queuing Telemetry Transport (MQTT) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS 3.1 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Demo Examples

Improper Resource Shutdown or Release

CWE-404

The following method never closes the file handle it opens. The Finalize() method for StreamReader eventually calls Close(), but there is no guarantee as to how long it will take before the Finalize() method is invoked. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, this can result in the VM using up all of its available file handles.


               
}
}
processLine(line);

Improper Resource Shutdown or Release

CWE-404

This code attempts to open a connection to a database and catches any exceptions that may occur.


               
}
Connection con = DriverManager.getConnection(some_connection_string);
log( e );

If an exception occurs after establishing the database connection and before the same connection closes, the pool of database connections may become exhausted. If the number of available connections is exceeded, other users cannot access this resource, effectively denying access to the application.

Improper Resource Shutdown or Release

CWE-404

Under normal conditions the following C# code executes a database query, processes the results returned by the database, and closes the allocated SqlConnection object. But if an exception occurs while executing the SQL or processing the results, the SqlConnection object is not closed. If this happens often enough, the database will run out of available cursors and not be able to execute any more SQL queries.


               
...

Improper Resource Shutdown or Release

CWE-404

The following C function does not close the file handle it opens if an error occurs. If the process is long-lived, the process can run out of file handles.


               
}

                     
return DECODE_SUCCESS;
return DECODE_FAIL;

                           
}
}
return DECODE_FAIL;
decodeBlock(buf);

Improper Resource Shutdown or Release

CWE-404

In this example, the program does not use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource.


               
}
void foo();
delete ptr;

Improper Resource Shutdown or Release

CWE-404

In this example, the program calls the delete[] function on non-heap memory.


               
}
void foo(bool);
delete[] p;
11,22
p = new int[2];

Overview

Type

F5

First reported 2 years ago

2022-08-04 18:15:00

Last updated 2 years ago

2022-08-10 18:46:00

Affected Software

F5 Big-IP Analytics

F5 Big-IP Access Policy Manager (APM)

F5 Big-IP Advanced Firewall Manager (AFM)

F5 Big-IP Application Acceleration Manager (AAM)

F5 Big-IP Application Security Manager (ASM)

F5 Big-IP Fraud Protection Service (FPS)

F5 Big-IP Domain Name System (DNS)

F5 Big-IP Policy Enforcement Manager (PEM)

F5 Networks Big-IP Local Traffic Manager (LTM)

F5 Big-IP Global Traffic Manager (GTM)

F5 Big-IP Link Controller

References

https://support.f5.com/csp/article/K28405643

https://support.f5.com/csp/article/K28405643

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.