Last Modified: May 29, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 15.0.0, 15.0.1
Fixed In:
15.1.0, 15.0.1.1, 14.1.2.5
Opened: Jun 18, 2019 Severity: 3-Major
The BIG-IP system provides an LTM policies mechanism to process traffic based on a set of rules. A rule may include a number of conditions and a number of actions to execute when the conditions are satisfied. Conditions use operands to evaluate. When an operand is missing, the BIG-IP system may fail to properly evaluate the condition.
The policy is improperly evaluated on the processing entity and may produce incorrect results when load balancing a request and/or serving a response.
-- A virtual server is configured with an LTM policy. -- The policy contains a rule with a condition which has an operand and a negative matching type like 'not equals' or 'not starts-with', etc. (e.g., http-referer host not contains { www.example.com }). -- A processing entity (like HTTP request, etc.) is missing an operand or has an empty value (e.g., header 'Referer' is missing from the request).
You can use either workaround: -- Convert rules into a 'positive' (lacking of negative matching type) whenever possible. -- Use iRules instead of a policy (might impact performance).
The BIG0IP system no longer incorrectly evaluates conditions in LTM policy rules when their operands are missing in a processing entity.