K26244025 : BIG-IP HTTP compression profile vulnerability CVE-2020-5933

Security Advisory Description

When a BIG-IP system that has a virtual server configured with an HTTP compression profile processes compressed HTTP message payloads that require deflation, a Slowloris-style attack can trigger an out-of-memory condition on the BIG-IP system. (CVE-2020-5933)

Impact

This vulnerability may lead to an out-of-memory condition in the BIG-IP system, causing a denial of service (DoS).

The Slowloris attack is a type of DoS attack that targets threaded web servers. Slowloris attacks attempt to monopolize all available request handling threads on the web server by sending HTTP requests that never complete. Because each request consumes a thread, the Slowloris attack eventually consumes all of the web server’s connection capacity, effectively denying access to legitimate users.