Last Modified: Jul 13, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.1
Opened: Aug 30, 2019 Severity: 1-Blocking Related Article:
K50375550
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.
Pool members may be exposed to non-compliant HTTP requests.
-- HTTP virtual server -- Non-compliant HTTP request from client
None.
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
A new BigDB variable has been added. The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default. If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset. The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server. If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.