F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.1 virtual servers with HTTP/2 profiles enabled are vulnerable to “HPACK Bomb”. (CVE-2018-5530)
Impact
HPACK bombs are designed to consume an abnormal amount of memory resources on a target system, which can result in a denial of service (DoS). This issue is exposed only on the BIG-IP system’s data plane; there is no control plane exposure for this issue.