Bug ID 1070273: OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly.

Last Modified: Feb 07, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6

Fixed In:
17.0.0, 16.1.2.2, 15.1.6.1

Opened: Dec 26, 2021

Severity: 3-Major

Symptoms

On OWASP dashboard, both 2021 and 2017, the Disallow DTDs in XML content profile protection is not calculated correctly on the xml-profile allowDTD field.

Impact

Actual OWASP compliance for this protection can be different from the one shown by the GUI.

Conditions

Open the OWASP page for any non-parent/child security policy, (Security ›› Overview : OWASP Compliance). For OWASP 2017, DTDs is located under A4 category, and for 2021 under A5 category.

Workaround

The actual conditions that satisfy the Disallow DTDs in XML content profile protection are: 1. 'XML data does not comply with format settings' violation should be set to alarm+block. 2. 'Malformed XML data' violation should be set to alarm + block. 3. No XML content profile in the policy is set so that allowDTDs to true.

Fix Information

Scoring calculation was changed: Now score will be given only if no XML content profile in the policy has allowDTDs field set as true.

Behavior Change

Up till now, The scoring of Disallow DTDs in XML content profile protection was to search for at least one XML content profile in the policy that had allowDTDs field set as true. The correct way is to give the score only if no XML content profile in the policy has allowDTDs field set as true.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips