F5 BIG-IP HTTP2 Profile Memory Resource Consumption Vulnerability Leading to Denial-of-Service
Vulnerability
A vulnerability exists in F5 BIG-IP versions 16.1.x prior to 16.1.2.2, 15.1.x prior to 15.1.6.1, and 14.1.x prior to 14.1.5. When an HTTP2 profile is active on a virtual server, certain undisclosed traffic can unintentionally increase memory usage. This rise in memory consumption can degrade system performance, potentially causing the Traffic Management Microkernel (TMM) process to crash or require a manual restart. This issue represents a data plane problem, with no exposure to the control plane.
Impact
Exploitation of this vulnerability leads to a degradation of service, causing the BIG-IP system to experience performance issues that can result in a denial-of-service condition.
Remediation
Users can upgrade to BIG-IP versions 16.1.2.2, 15.1.6.1, or 14.1.5 to address this vulnerability. F5 also recommends configuring BIG-IP systems with high availability to mitigate the impact.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.