Last Modified: Jul 13, 2024
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.1.0, 15.1.0.1
Fixed In:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2
Opened: Dec 06, 2019 Severity: 3-Major Related Article:
K22493037
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.
Sensitive data will reach the ICAP server.
XML profile is configured with sensitive elements on a policy. ICAP server is configured to inspect file uploads on that policy.
No immediate workaround except policy related changes
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1. When this is changed to 0 (using this command): /usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0 XML requests with sensitive data will not be sent to ICAP.