Bug ID 703191: HTTP2 requests may contain invalid headers when sent to servers

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5

Fixed In:
14.0.0, 13.1.0.6

Opened: Jan 23, 2018
Severity: 2-Critical

Symptoms

HTTP requests handled by an HTTP/2 virtual server may have blank header names when proxied through to the server or when handled via iRules.

Impact

HTTP/2 applications may generate CSRF-related errors. Alternately, the server may return intermittent (and from the client's perspective, spurious) 400 Bad Request responses.

Conditions

-- Virtual server has the HTTP/2 profile assigned. -- Client and the BIG-IP system negotiate/use HTTP/2.

Workaround

There is no workaround other than to remove the HTTP/2 profile from the virtual server.

Fix Information

None

Behavior Change