Bug ID 1111793: New HTTP RFC Compliance check for incorrect newline separators between request line and first header

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Fixed In:
17.1.0, 16.1.4, 15.1.7

Opened: Jun 02, 2022

Severity: 4-Minor

Symptoms

ASM does not enforce incoming HTTP requests where the request line and the first header are separated with a line feed ('\n').

Impact

Invalid requests might pass through ASM enforcement.

Conditions

Any HTTP request with a line feed only at the end of the request line will not be enforced.

Workaround

None

Fix Information

HTTP requests with LF('\n') as the only separator between the request line and the first header are enforced, and "Unparsable request content" is reported.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips