Bug ID 688369: dos-hidden profile created in non-Common partition - search engines not bypassed

Last Modified: May 01, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5

Fixed In:
14.0.0

Opened: Oct 12, 2017
Severity: 3-Major

Symptoms

The hidden dos profile /Common/asm-hidden/dos-hidden might be created in a non-Common partition, causing error messages and not bypassing of known search engines. (This profile is created automatically when provisioning ASM.) When this happens: -- An error message appears in /var/log/ltm: - err mcpd[6558]: 01070726:3: DoS Profile Compiled Signatures /Common/asm-hidden/dos-hidden dos-hidden /Common/asm-hidden/ASM-search-engine-Google in partition Common cannot reference DOS application /Common/asm-hidden/dos-hidden dos-hidden in partition partition1 -- The /Common/asm-hidden/dos-hidden profile is saved in the config file of the partition (/config/partitions/<partition>/bigip.conf) instead of /config/bigip.conf.

Impact

The impact is that the system does not bypass known Search Engines when sending the JavaScript challenges. Also, on 12.1.x, this error message is written to /var/log/asm: -- err tsconfd[31293]: dcc|ERR|Oct 11 07:14:04.065|31293| [tsconfd::ASMCONFIG_CALL, update dos bot signature] Failed due to ASMConfig exception: 01070726:3: DoS Profile Compiled Signatures /Common/asm-hidden/dos-hidden dos-hidden /Common/asm-hidden/ASM-search-engine-Yandex in partition Common cannot reference DOS application /Common/asm-hidden/dos-hidden dos-hidden in partition partition_1.

Conditions

This happens when provisioning ASM using the GUI, and the partition (on the top-right corner) is set to any partition other than the Common one. Note: The GUI page 'System :: Resource Provisioning' does not allow changing the partition (it is grayed out). The partition must be changed on a different page, such as Virtual Servers.

Workaround

To prevent the problem from happening, make sure the Common partition is selected when provisioning ASM. (Change it on a different page to Common, and then come back to the provisioning page and provision ASM. This only works if ASM was not yet provisioned before.) If the problem has already occurred, run the following commands to solve the problem: tmsh delete security dos profile /Common/asm-hidden/dos-hidden tmsh save sys config tmsh load sys config tmsh save sys config

Fix Information

The system now creates the hidden dos profile /Common/asm-hidden/dos-hidden in the Common partition correctly, and correctly bypasses known Search Engines when sending JavaScript challenges.

Behavior Change