CVE-2020-5871

Name of the Vulnerable Software and Affected Versions F5 BIG-IP versions 14.1.0 through 14.1.2.3

Description The issue allows undisclosed requests to cause a denial of service (DoS) when sent to BIG-IP HTTP/2 virtual servers. This problem occurs when ciphers, which have been blacklisted by the HTTP/2 RFC, are used on backend servers. It is a data-plane issue with no control-plane exposure.

Recommendations For versions 14.1.0 through 14.1.2.3, consider restricting the use of blacklisted ciphers on backend servers to minimize the risk of exploitation. As a temporary workaround, restrict access to BIG-IP HTTP/2 virtual servers until a patch is available.