Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 15.0.0, 15.0.1
Fixed In:
15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3
Opened: May 09, 2019 Severity: 3-Major
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long. This client may get blocked by TCP RST, or suffer from a challenge loop.
Legitimate browsers may get blocked or suffer from a challenge loop
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured -- Request has a Referer header that is between ~1400 and 3072 characters long
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.
Challenges with long Referer headers no longer block legitimate clients.