CVE-2023-22664
📋 TL;DR
This vulnerability affects F5 BIG-IP systems with specific HTTP/2 configurations enabled. When HTTP/2 client-side profile and HTTP MRF Router are both enabled on a virtual server, specially crafted requests can cause excessive memory consumption. This affects BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, and BIG-IP SPK starting from version 1.6.0.
💻 Affected Systems
- F5 BIG-IP
- F5 BIG-IP SPK
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Denial of service through memory exhaustion leading to system instability or crash, potentially disrupting all services on the affected BIG-IP device.
Likely Case
Degraded performance due to memory pressure, potentially causing service interruptions or increased latency for legitimate traffic.
If Mitigated
Minimal impact if vulnerable configurations are not in use or if systems are properly segmented and monitored.
🎯 Exploit Status
Exploitation requires sending specific HTTP/2 requests to vulnerable configurations. No authentication needed if virtual server is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BIG-IP 17.0.0.2, 16.1.3.3, or later; BIG-IP SPK: check latest version
Vendor Advisory: https://my.f5.com/manage/s/article/K56676554
Restart Required: Yes
Instructions:
1. Download appropriate patch from F5 Downloads. 2. Upload to BIG-IP system. 3. Install using WebUI or CLI. 4. Reboot system after installation.
🔧 Temporary Workarounds
Disable vulnerable configuration
allDisable either HTTP/2 client-side profile or HTTP MRF Router option on affected virtual servers
tmsh modify ltm virtual <virtual_server_name> profiles delete { <http2_profile_name> }
tmsh modify ltm virtual <virtual_server_name> http-mrf-router disabled
🧯 If You Can't Patch
- Disable HTTP/2 client-side profiles or HTTP MRF Router on all virtual servers
- Implement network segmentation to restrict access to vulnerable virtual servers
🔍 How to Verify
Check if Vulnerable:
Check if any virtual servers have both HTTP/2 client-side profile and HTTP MRF Router enabled: tmsh list ltm virtual one-line | grep -E 'http2.*http-mrf-router'Check Version:
tmsh show sys versionVerify Fix Applied:
Verify version is patched: tmsh show sys version | grep -E 'Version|Build' and confirm vulnerable configurations are disabled📡 Detection & Monitoring
Log Indicators:
- Unusual memory usage spikes in /var/log/ltm
- HTTP/2 connection errors in /var/log/httpd/error_log
Network Indicators:
- Abnormal HTTP/2 traffic patterns to virtual servers
- Increased memory consumption on BIG-IP devices
SIEM Query:
source="bigip_ltm" ("memory" AND "high" AND "utilization") OR ("http2" AND "error")