Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2
Opened: Mar 09, 2022 Severity: 4-Minor
The first POST request with body size greater than 64 KB is dropped to prevent DoS attacks. In few scenarios, the APM drops second POST request (the authenticated request) with body size greater than 64 KB even with valid MRH session cookie.
The connection is reset. The reset cause is [F5RST: APM HTTP body too big]
- A client sends first POST message with body less than 64 KB and once access session is created, it sends second POST request containing body greater than 64 KB. - Use of browsers that does not support Java Script. - Custom client that will not consider and resend hidden dummy parameter value of POST body in "200 ok" response to my.policy from BIG-IP.
None
None