Bug ID 1798869

Bug Tracker
ID 1798869

Bug ID 1798869: F5OS-A webUI HTTP responses are unexpectedly gzip-compressed

Last Modified: Apr 04, 2025

Affected Product(s):
F5OS F5OS, F5OS-A(all modules)

Known Affected Versions:
F5OS-A 1.8.0

Opened: Feb 03, 2025

Severity: 3-Major

Symptoms

Accessing random URLs via the F5OS-A webUI (e.g., https://<management IP>/xyz) returns a gzip-compressed response similar to the following: ``` HTTP/1.1 200 OK Date: Wed, 29 Jan 2025 14:56:13 GMT Server: Apache Referrer-Policy: strict-origin-when-cross-origin Strict-Transport-Security: max-age=63072000; includeSubdomains; Last-Modified: Tue, 06 Aug 2024 05:56:33 GMT ETag: "168-61efd74a82640" Accept-Ranges: bytes Content-Length: 360 Content-Security-Policy: default-src 'self'; upgrade-insecure-requests; frame-ancestors 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; media-src 'self'; worker-src 'none'; X-XSS-Protection: 1; mode=block Cache-Control: no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Content-Encoding: gzip <-- Note <!doctype html> <html lang="en"> <head> <meta charset="utf-8" /> <link rel="icon" href="/favicon.ico" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <meta name="theme-color" content="#000000" /> <meta name="description" content="Web site created using create-react-app" /> <link rel="apple-touch-icon" href="/favicon.ico" /> <link rel="manifest" href="/manifest.json" /> <title></title> <script defer="defer" src="/static/js/main.446dcef6.js"></script> <link href="/static/css/main.7c19607f.css" rel="stylesheet"> </head> <body><noscript>You need to enable JavaScript to run this app.</noscript> <div id="root"></div> </body> </html> ```

Impact

All responses are compressed, which might trigger a false positive from vulnerability scanners probing for web-accessible backup files. For example: https://<management IP>/backup.tar.gz Responses are compressed even if a client supplies an 'Accept-Encoding: identity' header. No impact should be observed when accessing URLs from a modern browser with JavaScript enabled. Requests to random URLs will be redirected to the login page. Compression still occurs but improves network performance.

Conditions

Accessing random URLs via the F5OS-A webUI.

Workaround

None

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips