F5 BIG-IP HTTP/3 QUIC Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in F5 BIG-IP version 15.1.0.1. When the HTTP/3 QUIC profile is enabled, specially formatted HTTP/3 messages can cause the Traffic Management Microkernel (TMM) to crash and produce a core file. This disruption may lead to a temporary failure in processing traffic, causing TMM to restart. In high availability configurations, this issue can trigger a failover to the standby host.

Impact

Exploitation of this vulnerability causes the Traffic Management Microkernel (TMM) to crash, produce a core file, and restart, temporarily disrupting traffic processing on BIG-IP hosts with the HTTP/3 QUIC profile enabled. This disruption can cause high availability configurations to fail over to the standby host.

Remediation

Users can upgrade to BIG-IP version 15.1.0.2 to address this vulnerability. For guidance on managing BIG-IP product hotfixes, refer to the F5 article K13123.