Have some code. Share some code.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
F5 Employee
F5 Employee

Problem this snippet solves:


This iApp shows you at a glance the vulnerability status of your BIG-IP against the March 2021 CVEs. This is based on the software version mainly and the modules provisioned, appliance mode etc, it does not look at your configuration in detail so it is only to be used as a guide. For instance, it does not check whether you are actually using APM, or SNAT, or HTTP/2.

There are two reports - the at-a-glance report on the Critical CVEs, and a more detailed HTML report created in the /var/tmp directory of the device which shows all of the BIG-IP CVEs and performs more detailed checks.

Summary Report


Detailed Report


How to use this snippet:

Download the file and extract to a local directory

Install the template as normal:

  1. login to the BIG-IP TMUI and go to iApps>Templates>Templates.
  2. Click on Import ( on the right hand side)
  3. Select the cve-checker-2021.tmpl file and hit Upload

To see the report, create an app using this template

  1. Go to iApps>Application Services>Applications
  2. Click on Create ( on the right hand side )
  3. From Template, select cve-checker-2021
  4. View summary report in this window
  5. Add a name for the application and Hit Finished
  6. Retrieve report from /var/tmp
  7. To refresh the report, go to Reconfigure and hit Finished again

If you find any bugs or issues with this then feel free to PM me here

This code has been developed and tested in a lab so you use it at your own risk. If you have used it and found it to be accurate, or have suggestions for further development then please PM me

Tested this on version:

F5 Employee
F5 Employee

I have been doing some testing - Appliance Mode checking is to be improved, and CVE-2021-22999 is slightly inaccurate so needs checking


Very good stuff!

But, I have the version: 

     BIG-IP Build 0.0.10 Point Release 2

I get the following error:

Error parsing template:can't eval proc: "script::run" version conflict for package "iapp": have 1.1.2, need 1.3.0 while executing "package require iapp 1.3.0" (procedure "script::run" line 2) invoked from within "script::run" line:1

Thank you!

F5 Employee
F5 Employee

Great, thanks for testing it Manuel. I have just updated it so it supports v11 so maybe you can try again. I have also improved the appliance mode checking and made the software version checking a bit simpler and hopefully more accurate


Thanks Pete.

I tried again and found other inaccuracies.


About CVE-2021-22986 the output is:

YES. You should update to a fixed version asap. See for further details


About CVE-2021-22991 the output is:

MAYBE. Your software is generally vulnerable but there are specific circumstances in different modules so you need to investigate this further. See for further details


But, CVE-2021-22986 and CVE-2021-22991 are not applicable for version 11.x 


Could you verify?


Thanks again!

F5 Employee
F5 Employee

Thanks again Manuel, you are now the official quality tester haha. Updated to correct this, I will later improve the way that the summary report does the checks as it could be more efficient.


After upgrade 14.1.4, still getting


CVE-2021-22999 CVSS score: 5.9 (Medium)

Vulnerability info

K02333782: BIG-IP HTTP/2 vulnerability CVE-2021-22999

The BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed.



The software version is vulnerable. You should update to TMOS v14.1.4 as soon as possible.


A remote attacker may cause the Traffic Management Microkernel (TMM) to leak memory and, over time, consume excessive system resources, leading to slow operation and eventual failover to a standby host.

F5 Employee
F5 Employee

Thanks for the info Sajid, I’ll take a look.

Version history
Last update:
‎11-Mar-2021 13:41
Updated by: