Bug ID 620567: HTTP to HTTPS TMUI redirection erroneously allows HTTP access to iControl SOAP and iControl REST

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
14.1.0, 13.1.0

Opened: Oct 04, 2016
Severity: 3-Major

Symptoms

When the BIG-IP system is configured to redirect HTTP to HTTPS, iControl SOAP and iControl REST API calls are erroneously accepted on port 80 (in addition to 443).

Impact

iControl SOAP and iControl REST calls are accepted on an unencrypted port. API calls still require authentication, but results are not encrypted.

Conditions

The BIG-IP has 'Redirect HTTP to HTTPS' enabled.

Workaround

None.

Fix Information

HTTP to HTTPS TMUI redirection no longer erroneously allows HTTP access to iControl SOAP and iControl REST.

Behavior Change