Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1
Fixed In:
14.1.0
Opened: Jan 04, 2018 Severity: 4-Minor
Some headers are expected to legitimately contain empty values. There is no option to configure this, which is required in order to define which headers may be sent with an empty value without triggering the empty-value violation, while continuing to enforce the violation on all other headers.
A legitimate request triggers a violation.
-- 'HTTP protocol compliance failed' violation: -- 'Header name with no header value' is enabled. -- A request arrives with a header that has no value.
Disable 'HTTP protocol compliance failed' violation: 'Header name with no header value'. Important: This workaround reduces general security. An iRule workaround that uses custom violations and looks into empty headers is possible as well, for example: when ASM_REQUEST_DONE { foreach header_name [HTTP::header names] { if {([HTTP::header value $header_name] eq "") && !($header_name eq "my-allowed-empty-header-name")} { log local0.info "raising EMPTY_HEADER_VIOLATION for header $header_name" ASM::raise EMPTY_HEADER_VIOLATION } } }
Added an internal parameter 'empty_header_value_allowed' that can be configured with a comma-separated list of headers for which an empty value is allowed.
This release introduces an internal parameter, 'empty_header_value_allowed', which can be configured with a comma-separated list of headers for which an empty value is allowed.