Bug ID 681109: BD crash in a specific scenario

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
14.0.0, 13.1.0, 12.1.3.2

Opened: Aug 31, 2017
Severity: 2-Critical
Related AskF5 Article:
K46212485

Symptoms

BD crash occurs.

Impact

Failover, traffic disturbance.

Conditions

A specific, non-default configuration with specific traffic. The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload. For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following: Content-Type :: *xml* :: form-data This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.

Workaround

In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism. A correctly configured header-based-content-profile property on URLs appears as follows: In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows: Content-Type :: *form* :: Form Data Content-Type :: *json* :: JSON Content-Type :: *xml* :: XML

Fix Information

Added a check to prevent a crash in a specific scenario.

Behavior Change