Bug ID 555057: ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0, 12.0.0 HF1, 12.0.0 HF2

Fixed In:
12.1.0, 12.0.0 HF3, 11.6.1, 11.5.4

Opened: Oct 29, 2015
Severity: 2-Critical

Symptoms

When using ASM REST to remove a signature set association from a policy (DELETE), the set is removed from all policies in the system.

Impact

All policies will lose their association to that signature set. This may leave some policies not enforcing all the Attack Signatures that they are expected to.

Conditions

ASM REST is used to remove a signature set association from a policy. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets/<ID>

Workaround

A DELETE can be issued to the collection endpoint: /mgmt/tm/asm/policies/<ID>/signature-sets utilizing the $filter parameter to delete only the desired sets. Ex. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets?$filter=id eq '<ID>'

Fix Information

When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.

Behavior Change