Last Modified: Sep 14, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6
Opened: Oct 26, 2017 Severity: 2-Critical
The browser will be in an infinite redirect loop. The client begins with a GET to a resource. The APM redirects to a F5Networks-SSO-Req on the primary auth domain. If the policy has already completed, the APM will redirect to GET F5Networks-SSO-Resp on original resource domain. The APM then redirects to the original resource URL, with a Set-Cookie header for the MRHSessionCookie. At this point, the browser follows the redirect to the original resource URL, but decides to drop the cookie. When the APM receives this request, it initiates the multi-domain SSO process again, and the browser is now in an infinite redirect loop.
Safari 11 clients will be unable to access some resources.
The issue is only reproduced if the resource is displayed in an iframe within the original webpage. It is also only reproduced if the second-level domain names are different, eg. resource.com and f5auth.com. This may be related Safari 11's Intelligent Tracking Prevention, as the iframe setup looks very similar to cross-site tracking cookies.
Do not use the iframe construction with different second-level domain names. If the iframe construction is used, there are some browser options that can be changed. For iOS clients, the turn off the "Prevent Cross-Site Tracking" option. For OSX clients, change the cookie privacy options to "Always Allow"
None