F5 BIG-IP
- >= 2.0.0, <= 2.0.3
- >= 1.7.0, <= 1.9.2
A denial-of-service vulnerability has been identified in F5 BIG-IP systems when an HTTP/2 profile is active on a virtual server. Undisclosed requests can cause excessive memory usage, degrading system performance. This issue affects the Traffic Management Microkernel (TMM) process, which may require a manual or forced restart to recover. The vulnerability allows remote, unauthenticated attackers to disrupt service, creating a denial-of-service condition on the affected BIG-IP system.
Exploitation of this vulnerability leads to increased memory usage, causing system performance to degrade. This degradation can result in a denial-of-service condition on the BIG-IP system, as the Traffic Management Microkernel (TMM) process may need to be manually restarted or forced to restart after being overwhelmed.
To address this vulnerability, users can upgrade to a fixed version. For BIG-IP Next SPK, versions 2.0.0 to 2.0.3 are vulnerable, while version 2.3.2 is a fixed version. For BIG-IP Next CNF, versions 2.0.0 to 2.3.1 are vulnerable, with version 2.3.2 available as a fix. In the BIG-IP 21.x branch, versions 21.0.0 to 21.1.0 are vulnerable, while version 21.1.0.1 is a fixed version. For BIG-IP 17.x, versions 17.5.0 to 17.5.1 and 17.1.0 to 17.1.3 are vulnerable, with versions 17.5.1.8 and 17.1.3.4 available as fixes. Users can also create a custom eviction policy with Slow Flow Monitoring enabled and associate it with the affected virtual server as a mitigation strategy.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.