F5 BIG-IP SPDY/HTTP/2 Profile Vulnerability CVE-2016-7475 Advisory

Security Advisory Number: - K01587042 Vulnerability Name: - BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 Release and Update Dates: - Release Date: Nov 28, 2016 - Update Date: Feb 22, 2023 Affected Products: - BIG-IP LTM - BIG-IP AAM - BIG-IP ASM - BIG-IP APIM - BIG-IP AFM - BIG-IP PEM - BIG-IP Link Controller Impact Description: - In certain circumstances, the Traffic Management Microkernel (TMM) may not properly clean up pool member network connections when using SPDY or HTTP/2 virtual server profiles. Specific Impact: - In many cases, pool members will tear down these connections after a brief Keep-Alive timeout. However, excessive connections to pool members may lead to service disruption. Known Vulnerable and Non-Vulnerable Versions (partial examples): - BIG-IP LTM: - Known Vulnerable Versions: 12.0.0 - 12.1.0, 11.4.0 - 11.6.1 - Known Non-Vulnerable Versions: 13.0.0, 12.1.1 - 12.1.2, 11.6.1 HF1, 11.5.4 HF2, 11.2.1, 10.2.1 - 10.2.4 - BIG-IP APM: - Known Vulnerable Versions: 12.0.0 - 12.1.0, 11.4.0 - 11.6.1 - Known Non-Vulnerable Versions: 13.0.0, 12.1.1 - 12.1.2, 11.6.1 HF1, 11.5.4 HF2, 11.2.1, 10.2.1 - 10.2.4 Vulnerability Severity: High Affected Component or Feature: Virtual servers configured to use SPDY or HTTP/2 profiles. Recommended Action by Security Advisory: - If running a version in the "Known Vulnerable" list, upgrade to a version in the "Known Non-Vulnerable" list to mitigate the vulnerability. Mitigation Measures: None. Related Content: - K9970: Subscribe to F5 product email notifications - K9957: Create a custom RSS feed to view new and updated documents - K4602: Overview of F5 Security Vulnerability Response Policy - K4918: Overview of F5 Critical Issue Fix Policy - K167: Download software and firmware from F5 - K13123: Manage BIG-IP product fix patches (11.x - 12.x)

Goal Reached Thanks to every supporter — we hit 100%!

F5 BIG-IP SPDY/HTTP/2 Profile Vulnerability CVE-2016-7475 Advisory