Last Modified: May 29, 2024
Affected Product(s):
BIG-IP AVR
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.1.0, 15.1.0.1
Fixed In:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
Opened: Oct 15, 2019 Severity: 2-Critical
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.
In addition to collecting DoS statistics, JavaScript injection also occurs.
Security :: reporting : settings : collect-all-dos-statistic is enabled.
Can use iRules to control which pages should get the JavaScript injection. For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.