Bug ID 1029897: Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1

Fixed In:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5

Opened: Jun 29, 2021
Severity: 3-Major
Related Article:
K63312282

Symptoms

The BIG-IP system may pass malicious requests to server-side pool members.

Impact

Malicious HTTP/2 requests can be translated to HTTP/1 requests and sent to the pool member web server. Depending on the behavior of the pool member web server, this can lead to an HTTP request smuggling attack. When the affected virtual server is configured with the OneConnect profile, an attacker might be able to impact the responses sent to a different client.

Conditions

1. The BIG-IP LTM has one or more virtual servers configured to proxy HTTP/2 requests from the client-side to HTTP/1 requests on the server-side. 2. An HTTP/2 client sends a request with one of the following issues and the BIG-IP passes it to the server-side pool members: a. H2.TE request line injection I. An HTTP/1 request embedded within an HTTP/2 pseudo-header value II. Individual carriage return (CR) or line feed (LF) allowed within an HTTP/2 pseudo-header b. Request line injection (folder traps) c. Request line injection (rule bypass)

Workaround

You can configure the BIG-IP ASM system or Advanced WAF to block an HTTP/1 request that is embedded within an HTTP/2 pseudo header value from being sent to the backend server.

Fix Information

This has been fixed so that client requests are appropriately rejected by BIG-IP.

Behavior Change