Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF6
Opened: Mar 20, 2015 Severity: 3-Major
When a session variable set by AD/LDAP module is HEX-encoded, it is possible to decode it with the -decode option for the mcget command. The option works correctly when the session variable contains multiple values (such as | 0xABCD | 0xDCBA |), but it does not work properly with a single encoded value (such as0xABCD).
As a result, the access policy does not follow the expected branch rule.
The problem occurs under these conditions: the -decode option is specified when retrieving a HEX-encoded variable, and the session variable contains only one value/
While decoding a single value, the mcget command produces a result like EncodedValueDecodedValue. For example, for encoded string 0x616161, the result of the operation will be 616161aaa. It is possible to write a Tcl expression in the Variable Assign agent that truncates the left half of the string and leaves aaa, the decoded value only.
The -decode option works as expected for single-value and multi-value session variables.