Last Modified: Feb 07, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1
Fixed In:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
Opened: Jun 29, 2021 Severity: 3-Major Related Article:
K63312282
The BIG-IP system may pass malicious requests to server-side pool members.
Malicious HTTP/2 requests can be translated to HTTP/1 requests and sent to the pool member web server. Depending on the behavior of the pool member web server, This could result in unauthorized data injection in HTTP requests. When the affected virtual server is configured with the OneConnect profile, a malicious actor might be able to impact the responses sent to a different client.
1. The BIG-IP LTM has one or more virtual servers configured to proxy HTTP/2 requests from the client-side to HTTP/1 requests on the server-side. 2. An HTTP/2 client sends a request with one of the following issues and the BIG-IP passes it to the server-side pool members: a. H2.TE request line injection I. An HTTP/1 request embedded within an HTTP/2 pseudo-header value II. Individual carriage return (CR) or line feed (LF) allowed within an HTTP/2 pseudo-header b. Request line injection (folder traps) c. Request line injection (rule bypass)
You can configure the BIG-IP ASM system or Advanced WAF to block an HTTP/1 request that is embedded within an HTTP/2 pseudo header value from being sent to the backend server.
This has been fixed so that client requests are appropriately rejected by BIG-IP.