Last Modified: Nov 07, 2022
Affected Product:
See more info
BIG-IP ASM, AVR
Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
12.0.0, 11.4.1 HF6
Opened: Aug 14, 2014
Severity: 3-Major
If a HTTP flow has both an X-Forwarded-For (XFF) header and a custom header containing the true client IP, the IP in the XFF header will take priority.
wrong source IP is listed. May apply wrong irules, wrong ip intelligence etc.
Both X-forwarded-for and custom headers are marked and used. A Request arrives with both X-forwarded-for and a custom header.
N/A
AVR IP collection and the DOS attack detection: Previously, if an HTTP profile has both XFF and one or more custom headers (called "Alternate headers" in the Configuration utility), the system took the last header (whether it is the actual X-Forwarded-For or the custom header) and used that as the header from which to extract the IP address. Now, the system uses the last custom header, even if it comes before the last XFF header.
