Bug ID 1111793: New HTTP RFC Compliance check for incorrect newline separators between request line and first header

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1

Fixed In:
15.1.7

Opened: Jun 02, 2022
Severity: 4-Minor

Symptoms

ASM does not enforce incoming HTTP requests where the request line and the first header are separated with a line feed ('\n').

Impact

Invalid requests might pass through ASM enforcement.

Conditions

Any HTTP request with a line feed only at the end of the request line will not be enforced.

Workaround

None

Fix Information

HTTP requests with LF('\n') as the only separator between the request line and the first header are enforced, and "Unparsable request content" is reported.

Behavior Change