Bug ID 688365: Access can lose the initial POST body if backend resets

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6

Opened: Oct 12, 2017

Severity: 3-Major

Symptoms

If the initial request is a POST, then ACCESS will save the POST body before running the access policy. Once the policy completes, ACCESS redirects the client to the landing URI, with some injected Javascript to include a POST parameter 'dummy'. Once ACCESS receives the 'dummy' parameter, it is replaced by the initial POST body. However, this replacement can only happen once. If the backend sends a reset, the client browser will likely resend the 'dummy' POST, but ACCESS will not recognize the dummy a second time, and the initial POST body will not be inserted.

Impact

Backend application server will receive a 'dummy' POST body. Impact will depend on the application. In one deployment this resulted in SAML assertion failures.

Conditions

Initial POST body. Access policy has completed, and client browser sends a 'dummy' POST to the landing URI. Then something (backend or some APM component sends a reset) causes the browser to resend the 'dummy' POST.

Workaround

None

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips