Last Modified: Jul 12, 2023
Known Affected Versions:
13.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206
Opened: Jan 23, 2018 Severity: 2-Critical
HTTP requests handled by an HTTP/2 virtual server may have blank header names when proxied through to the server or when handled via iRules.
HTTP/2 applications may generate CSRF-related errors. Alternately, the server may return intermittent (and from the client's perspective, spurious) 400 Bad Request responses.
-- Virtual server has the HTTP/2 profile assigned. -- Client and the BIG-IP system negotiate/use HTTP/2.
There is no workaround other than to remove the HTTP/2 profile from the virtual server.