Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM, ASM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF6, 11.5.3 HF2
Opened: Jan 10, 2015 Severity: 3-Major
With APM and ASM configured on the same virtual server, cookie validation on ASM could modify the Set-Cookie header sent by the application server or inject another Set-Cookie header. APM websso module does not honor the Set-Cookie modification, nor the injection. ASM subsequently causes the connection to reset.
Connection reset on the above condition.
With APM and ASM configured on the same virtual server, if cookie validation on ASM modifies the Set-Cookie header sent by the application server or injects another Set-Cookie header, then APM websso module does not honor this.
Use layered virtual servers with an iRule virtual command to send traffic from the ASM virtual server to an APM virtual server with ARP disabled instead of having everything on one virtual server.
The APM websso module is modified to handle an ASM use case. Now the websso reparses the HTTP 401 response header from the server at the client side in addition to the current parsing at server-side processing. With this fix any Set-Cookie modification or addition by ASM is sent to server in the response to 401 header.