F5 BIG-IP and BIG-IP Next HTTP/2 Control Frame Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in F5 BIG-IP and BIG-IP Next products, excluding BIG-IQ Centralized Management and F5OS. This vulnerability arises from an HTTP/2 implementation flaw that allows remote, unauthenticated attackers to use malformed HTTP/2 control frames to exceed the maximum concurrent streams limit, causing increased CPU usage that can lead to a denial-of-service condition on the affected system. This issue is present in BIG-IP versions 15.1.0 through 15.1.10, 16.1.0 through 16.1.6, and 17.5.0 to 17.5.1, as well as in BIG-IP Next versions 20.3.0, 1.7.0 to 1.9.2, and 2.0.0 to 2.0.2.

Impact

Exploitation of this vulnerability can cause a significant increase in CPU usage, leading to a denial-of-service condition on the affected BIG-IP system.

Remediation

F5 has released an engineering hotfix for this vulnerability, available through the MyF5 Downloads page. After applying the hotfix, the default sensitivity to this attack can be adjusted by modifying a new db variable, Tmm.HTTP2.RSTFloodCheck. For BIG-IP 17.5.1 through BIG-IQ, an additional fix request may be needed. Consult the F5 product hotfix management guide for details.