CVE-2021 Checker iApp

Problem this snippet solves:


This iApp shows you at a glance the vulnerability status of your BIG-IP against the March 2021 CVEs. This is based on the software version mainly and the modules provisioned, appliance mode etc, it does not look at your configuration in detail so it is only to be used as a guide. For instance, it does not check whether you are actually using APM, or SNAT, or HTTP/2.

There are two reports - the at-a-glance report on the Critical CVEs, and a more detailed HTML report created in the /var/tmp directory of the device which shows all of the BIG-IP CVEs and performs more detailed checks.

Summary Report

Detailed Report

How to use this snippet:

Download the file and extract to a local directory

Install the template as normal:

  1. login to the BIG-IP TMUI and go to iApps>Templates>Templates.
  2. Click on Import ( on the right hand side)
  3. Select the cve-checker-2021.tmpl file and hit Upload

To see the report, create an app using this template

  1. Go to iApps>Application Services>Applications
  2. Click on Create ( on the right hand side )
  3. From Template, select cve-checker-2021
  4. View summary report in this window
  5. Add a name for the application and Hit Finished
  6. Retrieve report from /var/tmp
  7. To refresh the report, go to Reconfigure and hit Finished again

If you find any bugs or issues with this then feel free to PM me here

This code has been developed and tested in a lab so you use it at your own risk. If you have used it and found it to be accurate, or have suggestions for further development then please PM me

Tested this on version:

Published Mar 11, 2021
Version 1.0

Was this article helpful?


  • I have been doing some testing - Appliance Mode checking is to be improved, and CVE-2021-22999 is slightly inaccurate so needs checking

  • Very good stuff!

    But, I have the version: 

         BIG-IP Build 0.0.10 Point Release 2

    I get the following error:

    Error parsing template:can't eval proc: "script::run" version conflict for package "iapp": have 1.1.2, need 1.3.0 while executing "package require iapp 1.3.0" (procedure "script::run" line 2) invoked from within "script::run" line:1

    Thank you!

  • Great, thanks for testing it Manuel. I have just updated it so it supports v11 so maybe you can try again. I have also improved the appliance mode checking and made the software version checking a bit simpler and hopefully more accurate

  • Thanks Pete.

    I tried again and found other inaccuracies.


    About CVE-2021-22986 the output is:

    YES. You should update to a fixed version asap. See for further details


    About CVE-2021-22991 the output is:

    MAYBE. Your software is generally vulnerable but there are specific circumstances in different modules so you need to investigate this further. See for further details


    But, CVE-2021-22986 and CVE-2021-22991 are not applicable for version 11.x 


    Could you verify?


    Thanks again!

  • Thanks again Manuel, you are now the official quality tester haha. Updated to correct this, I will later improve the way that the summary report does the checks as it could be more efficient.

  • Sajid's avatar
    Icon for Cirrostratus rankCirrostratus

    After upgrade 14.1.4, still getting


    CVE-2021-22999 CVSS score: 5.9 (Medium)

    Vulnerability info

    K02333782: BIG-IP HTTP/2 vulnerability CVE-2021-22999

    The BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed.



    The software version is vulnerable. You should update to TMOS v14.1.4 as soon as possible.


    A remote attacker may cause the Traffic Management Microkernel (TMM) to leak memory and, over time, consume excessive system resources, leading to slow operation and eventual failover to a standby host.