CVE-2018-5514

moderate-risk

Published 2018-05-02

On F5 BIG-IP 13.1.0-13.1.0.5, maliciously crafted HTTP/2 request frames can lead to denial of service. There is data plane exposure for virtual servers when the HTTP2 profile is enabled. There is no control plane exposure to this issue.

Do I need to act?

2.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (13)

Big-Ip Local Traffic Manager

Big-Ip Application Acceleration Manager

Big-Ip Advanced Firewall Manager

Big-Ip Analytics

Big-Ip Access Policy Manager

Big-Ip Application Security Manager

Big-Ip Edge Gateway

Big-Ip Global Traffic Manager

Big-Ip Link Controller

Big-Ip Policy Enforcement Manager

Big-Ip Webaccelerator

Big-Ip Websafe

Big-Ip Domain Name System

Affected Vendors

References (6)

Third Party Advisory http://www.securityfocus.com/bid/104097

Third Party Advisory http://www.securitytracker.com/id/1040804

Vendor Advisory https://support.f5.com/csp/article/K45320419

Third Party Advisory http://www.securityfocus.com/bid/104097

Third Party Advisory http://www.securitytracker.com/id/1040804

Vendor Advisory https://support.f5.com/csp/article/K45320419

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 6/34 · Minimal

Exposure 17/34 · Moderate