Bug ID 1096477: Parameter set as non-Base64 encoded value is treated as a Base64 encoded value

Last Modified: Oct 19, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.5

Fixed In:
14.1.5.1

Opened: Apr 08, 2022
Severity: 2-Critical

Symptoms

URL parameters that are configured as 'Base64 Decoding' false are still treated as Base64 Encoded values. This leads to reading incorrect parameter values.

Impact

A request gets blocked with an attack signature detected, when it should not be. Negative signature check gets skipped or generates false alarms.

Conditions

Create a parameter, not staged with user-input, alpha-numeric, Base64 values set to False.

Workaround

None

Fix Information

The system now check to determine whether Base64 is set for the parameter before decoding it.

Behavior Change