Bug ID 830341: False positives Mismatched message key on ASM TS cookie

Last Modified: Oct 23, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 16.0.0, 16.0.0.1

Opened: Sep 23, 2019
Severity: 3-Major

Symptoms

ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"

Impact

All subsequent requests are rejected on ASM Cookie Hijacking violation

Conditions

-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected -- The cookie is left intact

Workaround

1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode. OR 2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint

Fix Information

None

Behavior Change