Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6
Fixed In:
13.0.0
Opened: Jan 09, 2016 Severity: 3-Major Related Article:
K17206132
An outbound ICAP request body is double-chunked (has extra chunk headers inserted within the body chunks).
The ICAP server receives corrupt payload and might malfunction and/or return corrupt payload to the receiving client or server.
A primary virtual server has an HTTP profile and either request-adapt or response-adapt profiles, and a corresponding internal virtual server with an ICAP profile. Outbound ICAP request payload might be double-chunked if any of the following are true. Primary virtual server has a request-adapt profile and either: 1. HTTP client sends a POST request with chunked payload and the http profile has request chunking mode 'preserve' (default). 2. HTTP client sends POST request with chunked payload and the http profile has request chunking mode 'selective', unless certain other http related profiles are present on the http virtual server. Primary virtual server has a response-adapt profile and ICAP server responds with a body (200 ok), and: 3. HTTP server responds with chunked payload and the http profile has response chunking mode 'preserve'. If any of these conditions are true, the outbound ICAP request body might be double-chunked.
None.
An outbound ICAP request body contains the original unchunked HTTP content with only valid chunk headers in a chain, which can be tracked and removed by the ICAP server to correctly recover the HTTP content.