F5 BIG-IP and BIG-IQ HTTP/2 Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in F5 BIG-IP and BIG-IQ systems when HTTP/2 client and server profiles are configured on a virtual server. Undisclosed requests can lead to the termination of the Traffic Management Microkernel (TMM) process, causing a disruption in traffic as TMM restarts. This issue affects BIG-IP versions 15.1.0 through 15.1.10, 16.1.0 through 16.1.4, and 17.1.0 through 17.1.1. BIG-IQ Centralized Management is not vulnerable.

Impact

Exploitation of this vulnerability causes a denial-of-service condition on the BIG-IP system, disrupting traffic management as the TMM process restarts.

Remediation

Users can upgrade to BIG-IP versions 17.1.2, 16.1.5, or 15.1.10.7.0.4.5 to address this vulnerability. For more information about managing BIG-IP product hotfixes, refer to the MyF5 article K13123.