Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM, LTM
Known Affected Versions:
12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4
Fixed In:
14.1.0, 14.0.0.5, 13.1.1.5, 12.1.4.1
Opened: May 12, 2017 Severity: 4-Minor
When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. 'Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset. Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.
Connections are reset, when only alerting is expected.
-- PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled). -- The maximum number of headers is exceeded for server responses.
None.
Two threshold values are now available for monitoring the number of HTTP headers: -- Use the HTTP security profile and select 'alarm' (as opposed to 'block'). -- Use the HTTP service protocol profile. When the 'alarm' threshold is hit, the HTTP traffic remains intact, and logging can be seen in the PSM event logs. When the HTTP service protocol profile's threshold is hit, the HTTP traffic will be blocked, and logging to be seen in both LTM log and PSM event logs.