Bug ID 927617: 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
16.0.1, 16.0.0, 15.1.1, 15.1.0, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5

Fixed In:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3

Opened: Jul 15, 2020

Severity: 2-Critical

Symptoms

A valid request that should be passed to the backend server is blocked.

Impact

A request is blocked that should not be.

Conditions

-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled. -- The cookie header that contain the valid cookie value is encoded to base64.

Workaround

Disable 'Base64 Decoding' for the desired cookie.

Fix Information

Requests with valid base64 encoding cookies are now correctly passed by the enforcer.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips