Last Modified: May 29, 2024
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Fixed In:
15.1.0, 14.1.2.3
Opened: May 09, 2019 Severity: 3-Major
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects: -- No space after the semicolon -- A cookie with no value is sent without the equals sign
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.
-- ASM Security Policy is used. -- Request includes an ASM cookie.
Disable the cookie stripping by modifying the DB variable as follows: tmsh modify sys db asm.strip_asm_cookies value false
ASM now strips the ASM cookies from the request in a way that is compliant with RFC6265.