BIG-IP HTTP/2 profile vulnerability
CVE-2023-22664

7.5HIGH

Key Information:

Vendor: F5
Status: Big-ip; Big-ip Spk
Vendor: CVE Published:; 1 February 2023

What is CVE-2023-22664?

A vulnerability in F5 BIG-IP versions 17.0.x and 16.1.x can lead to increased memory resource utilization when specific client-side HTTP/2 profile configurations are enabled on a virtual server. This issue occurs due to undisclosed requests interacting improperly with the HTTP MRF Router option. Users should review their configurations and update to the latest software releases to mitigate potential impacts, especially when operating within sensitive environments.

Affected Version(s)

BIG-IP 17.0.0 < 17.0.0.2

BIG-IP 16.1.0 < 16.1.3.3

BIG-IP SPK 1.6.0

References

https://my.f5.com/manage/s/article/K56676554

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 1, 2023
Vulnerability Reserved
Jan 13, 2023