Bug ID 830341: False positives Mismatched message key on ASM TS cookie

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.1.2

Fixed In:
17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1

Opened: Sep 23, 2019

Severity: 3-Major

Symptoms

ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"

Impact

All subsequent requests are rejected on ASM Cookie Hijacking violation

Conditions

-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected -- The cookie is left intact

Workaround

1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode. OR 2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint

Fix Information

In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI: /usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1 bigstart restart asm Once enabled, ASM system does not trigger false positives.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips