Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6
Fixed In:
16.1.0, 15.1.6.1, 14.1.5
Opened: Dec 08, 2020 Severity: 3-Major
An HTTP Security profile can be created and enabled within Advanced Firewall Manager's Protocol Security options. The HTTP Security Profile contains various protocol checks that can be enabled and disabled to allow customization of security checks. When the "Unparsable request content" check is selected, BIG-IP will incorrectly indicate that HTTP POST requests with Content-Length:0 are not allowed assuming that these requests are unparsable. POST requests with Content-Length:0 can still be checked by enabling the "POST request with Content-Length: 0" option in the same profile.
POST requests of Content-Length 0 cannot be disabled separately from general "Unparsable request content".
-- HTTP Protocol Security Profile configured with the "Unparsable request content" check. -- Client sends HTTP POST request with Content-Length:0
None.
POST requests containing a Content-Length: 0 header are no longer considered as "Unparsable Request Content" violations and will not incorrectly be reported.
POST requests containing a Content-Length: 0 header are no longer considered as "Unparsable Request Content" violations within the AFM HTTP protocol security profile.