Last Modified: May 29, 2024
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6
Fixed In:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
Opened: Jul 25, 2021 Severity: 3-Major
RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230. The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.
False positives.
Multiline header in multipart request
None
Introduced a new ASM internal parameter: multipart_allow_multiline_header Note: default value is 0 (disabled) Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online. - Enable multiline header support # /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1 # bigstart restart asm - Disable multiline header support # /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0 # bigstart restart asm
Introduced a new ASM internal parameter: multipart_allow_multiline_header Note: default value is 0 (disabled) Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online. - Enable multiline header support # /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1 # bigstart restart asm - Disable multiline header support # /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0 # bigstart restart asm