Bug ID 1113881: Headers without a space after the colon, trigger an HTTP RFC violation

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
17.0.0.2, 17.0.0.1, 15.1.8.2, 15.1.8.1, 15.1.8, 15.1.7

Fixed In:
17.1.0, 16.1.4, 15.1.9

Opened: Jun 13, 2022

Severity: 3-Major

Symptoms

An "Unparsable request content" violation is detected for valid headers that do not have a space after the header's name ':'.

Impact

Requests that are suppose to pass are blocked by the ASM enforcer.

Conditions

Any header without a space between the colon ':' and the header value will trigger "Unparsable request content". With v14.1.x, there are no affected versions. With v15.1.x, this issue was introduced in 15.1.7 With v16.1.x, there are no affected versions. With v17.0.x, this issue was introduced in 17.0.0.1 With v17.1.x, there are no affected versions.

Workaround

The client has to send headers with space after ':'.

Fix Information

No "Unparsable request content" violation for headers with space after ':'.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips