Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
10.2.1, 10.2.2, 10.2.3, 10.2.4, 11.0.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF6, 11.5.4, 11.5.3 HF2, 11.4.1 HF9, 11.2.1 HF15, 10.2.4 HF12
Opened: Apr 14, 2015 Severity: 3-Major Related Article:
K16672
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.
This has the potential to exhaust the number of connections at the backend.
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server. If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later. F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.
Mitigations: 1) iRule that can drop the connections after a specified amount of idle time. 2) iRule to validate the request line in an iRule and fix it. 3) Tuning of profile timeouts 4) ASM prevents this issue.
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.