Bug ID 497376: Wrong use of custom XFF headers when there are multiple matches

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM, AVR(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.0 HF5

Opened: Dec 18, 2014

Severity: 3-Major

Symptoms

A specific case of multiple matching XFF headers and special settings, that lead to treating one of the supplied XFF headers, but not the desired one.

Impact

The incoming request is treated as coming from an IP address that is not the desired address, this affects the reports and the identification of this request by the DoS system.

Conditions

1. Configuring at least one custom XFF header in the HTTP profile. 2. The incoming request has at least 2 headers that match the custom headers. 3. The DB variable avr.alwaysuselastxff is set to 0.

Workaround

It is possible to set an iRule that will do the logic of the comparing the XFF headers, remove the unnecessary ones, and keep only the desired one.

Fix Information

The desired XFF header is taken as the one that represents the HTTP request IP address.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips