Bug ID 1008849: OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1

Fixed In:
17.0.0, 16.1.2.2, 15.1.5.1

Opened: Apr 05, 2021
Severity: 3-Major

Symptoms

To fulfill "A4 XML External Entities (XXE)", some required signatures need to be enforced. Due to an update in some of those attack signatures names, this section does not find the signatures and by mistake it shows that the signatures are not enforced. Also, when you choose to enforce the required signatures, this section tries to enforce the signatures, but looks for them via the old name, so it does not find them, and can't enforce them.

Impact

"A4 XML External Entities (XXE)" Compliance can't be fully compliant.

Conditions

The attack signatures file is updated with the new names for the XXE signatures. The old names are in use while trying to find and enforce the signatures, but it does not find them and can't enforce them and also can't see if they are already enforced.

Workaround

N/A

Fix Information

The signature ID is being used instead of signature name, and now it can find them and enforce them if needed.

Behavior Change