Last Modified: Nov 07, 2022
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
12.1.0
Opened: Feb 03, 2016 Severity: 3-Major
The various features in the Application DoS profile, including Proactive Bot Defense, use cookies as part of the enforcement. These cookies do not include the 'secure' flag on deployments that utilize HTTPS.
The internal DoS / Proactive Bot Defense cookies are set without the 'secure' flag on HTTPS deployments. The relevant cookies are only internal ones that are used to maintain the state; they do not contain any user-data or any sensitive information.
Any of the Client-Side features are enabled in the DoS profile: Client-Side Mitigation, Proactive Bot Defense, or Device-ID-based detection. This is only a problem for deployments that use HTTPS.
None
The DoS / Proactive Bot Defense cookies can now be optionally set with the 'secure' flag, according to these new DB variables: DOSL7.use_secure_cookies enables the 'secure' flag on cookies that are set on a Virtual Server with a client-side SSL profile (default disabled). DOSL7.assume_https assumes HTTPS on all Virtual Servers, even those without an SSL profile (default disabled). This may be used in case the SSL proxy is performed on a different Virtual Server, or a different device.
