F5 BIG-IP HTTP/2 Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in F5 BIG-IP systems when an HTTP/2 profile is active, and an iRule using the HTTP::redirect or HTTP::respond command is applied to a virtual server. Under these conditions, certain undisclosed requests can lead to the termination of the Traffic Management Microkernel (TMM) process, causing a disruption as TMM restarts. This issue affects BIG-IP versions 21.0.0, 17.5.0 through 17.5.1, 17.1.0 through 17.1.3, and 16.1.0 through 16.1.6, as well as BIG-IP Next versions 1.7.0 through 1.7.16 and 2.0.0 through 2.0.2.

Impact

Exploitation of this vulnerability causes a denial-of-service condition on the BIG-IP system by disrupting traffic management processes, leading to temporary service unavailability.

Remediation

Users can upgrade to BIG-IP versions 21.0.0.1, 17.5.1.4, 17.1.3.1, or 1.4.1 for BIG-IP Next. For more information on managing BIG-IP product hotfixes, refer to the F5 article K13123.